Latest in Gear

Image credit: Jon Fingas/Engadget

Initial 'Fortnite' Android installer let hackers install malware

You wouldn't have even known malware was on your phone.
794 Shares
Share
Tweet
Share
Save

Sponsored Links

Jon Fingas/Engadget

When Epic said it would skip the Google Play Store with Fortnite's Android release, it raised eyebrows among security experts. Wasn't it creating risks by encouraging gamers (some of whom didn't understand the potential dangers) to install non-Store apps? Well, it did... although not quite in the way you might have expected. Epic Games has patched a Google-discovered vulnerability in Fortnite's original Android installer that would have let intruders download and install malware. The exploit used a man-in-the-disk attack that took advantage of Epic's initially flawed storage handling to intercept download requests and load nefarious content.

Attackers first had to trick you into installing an app designed to look for the flaw, which might not have been difficult when players could be hunting for cheats and "free V-Bux" apps. If present, the app hijacked the install process to grab its own code without even hinting that malware was coming. You didn't need to have Android's "install unknown sources" option enabled beyond when you downloaded the Fortnite installer, and Samsung device owners didn't even have to make that effort (since they downloaded through Samsung's own Galaxy Apps).

Epic told Android Central that it delivered the fix within 48 hours after receiving word from Google, and it's not clear that anyone took advantage of the security hole in the few days where it was present. The developer isn't happy with how Google addressed the situation, however. It accused Google of being "irresponsible" for publicly disclosing the flaw before many people had a chance to update their installers, and claimed Google "refused" to wait until more players had updated. That's not necessarily the case (Google appeared to have honored its disclosure policies), but it's reasonable to presume that some Fortnite fans hadn't been diligent in updating before the vulnerability was public knowledge.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
794 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Turns out smartphones aren't making millennials grow horns after all

Turns out smartphones aren't making millennials grow horns after all

View
Google makes Assistant available via a free phone call in India

Google makes Assistant available via a free phone call in India

View
Arcimoto is finally shipping its three-wheeled EV to customers

Arcimoto is finally shipping its three-wheeled EV to customers

View
Tesla's Model 3 joins Audi's E-Tron in claiming top safety award

Tesla's Model 3 joins Audi's E-Tron in claiming top safety award

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr