Fortnite Android to be Vulnerable to MitD Attacks

According to Google researchers, Android version of one of the most popular videogames had a serious security gap
28 August 2018   678

Security experts from Google found a vulnerability in the installation package of Fortnite for Android-smartphones. The application is vulnerable to Man-in-the-Disk (MitD) attack. It allowed to download and run any application with an unlimited number of privileges. The company-developer has already released version 2.1.0 with security fixes.

Researchers of the corporation published information about the problem in Google's bug-tracker on August 15, 2018. They became interested in the app after the publisher decided not to release the game in the Google app store, thereby deciding not to give the company 30% of the revenue for in-game purchases.

After it became known, profile publications like Android Central expressed concerns about the safety and usefulness of such an Epic strategy. The company promotes the game installer through its own site, and to launch it, it is necessary to put a checkmark in the box "Installing from unreliable sources" of the device settings.

Using the MitD vulnerability in the Fortnite installer, an attacker could download any program to the device, including malware. This was due to the peculiarity of external memory management in Android - it is used by all applications together. Because the mobile version of Fortnite does not contain the game itself, but loads additional files from the Epic Games repository, it leaves the external memory open to hackers.

Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK. If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.

Google Researcher

After publishing the information in the bug tracking system, the researchers of the corporation informed Epic developers about the need to release the patch. The specialists made a report on the problem public on August 25, 2018, a week after the correction appeared in version 2.1.0.

Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google’s rapid public release of technical details. We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points. Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.

Tim Sweeney

CEO, Epic Games

Another Battle Royale game - PlayerUnknown's Battlegrounds - also became the target of hackers. In April 2018, the researchers found a related ransomware.

New Vulnerability to be Found in Google+

Due to this vulnerability it was possible to obtain private information of 52.5 million accounts
11 December 2018   127

Google decided to close the social network Google+ not in August 2019, but in April. The reason was another vulnerability in the API, due to which it was possible to obtain private information of 52.5 million accounts. The company plans to close the social network API until mid-March 2019.

By December 10, 2018, the following error information was published:

  • Third-party applications requesting access to profile data, because of the bug in the API, received permission to view information, even if it is hidden by privacy settings;
  • the names of users, their email addresses, information about occupation, age and other confidential information were at risk;
  • passwords, financial data and national identification numbers have not been compromised;
  • the company has no evidence that anyone has exploited the vulnerability;
  • the error was fixed within 6 days: from November 7 to November 13, 2018.
  • Google said it sends notifications to all users affected by the bug.

The previous data leak of Google+ users occurred in October 2018. Then about 500 thousand accounts were compromised. The attackers could get the names, email addresses, age, gender and occupation of users.