Fortnite Android to be Vulnerable to MitD Attacks

According to Google researchers, Android version of one of the most popular videogames had a serious security gap
28 August 2018   239

Security experts from Google found a vulnerability in the installation package of Fortnite for Android-smartphones. The application is vulnerable to Man-in-the-Disk (MitD) attack. It allowed to download and run any application with an unlimited number of privileges. The company-developer has already released version 2.1.0 with security fixes.

Researchers of the corporation published information about the problem in Google's bug-tracker on August 15, 2018. They became interested in the app after the publisher decided not to release the game in the Google app store, thereby deciding not to give the company 30% of the revenue for in-game purchases.

After it became known, profile publications like Android Central expressed concerns about the safety and usefulness of such an Epic strategy. The company promotes the game installer through its own site, and to launch it, it is necessary to put a checkmark in the box "Installing from unreliable sources" of the device settings.

Using the MitD vulnerability in the Fortnite installer, an attacker could download any program to the device, including malware. This was due to the peculiarity of external memory management in Android - it is used by all applications together. Because the mobile version of Fortnite does not contain the game itself, but loads additional files from the Epic Games repository, it leaves the external memory open to hackers.

Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK. If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.

Google Researcher

After publishing the information in the bug tracking system, the researchers of the corporation informed Epic developers about the need to release the patch. The specialists made a report on the problem public on August 25, 2018, a week after the correction appeared in version 2.1.0.

Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google’s rapid public release of technical details. We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points. Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.

Tim Sweeney

CEO, Epic Games

Another Battle Royale game - PlayerUnknown's Battlegrounds - also became the target of hackers. In April 2018, the researchers found a related ransomware.

Google to Release Cloud Inference API

Cloud Inference API can be used for real time big data analysis 
20 September 2018   91

Google introduced an alpha version of the service for time series analysis. It processes information about events at the time - clicks, requests, activations of IoT devices, and so on. The Cloud Inference API analyzes these data in real time, finds correlations and makes predictions based on it.

Cloud Inference API
Cloud Inference API 

Service features:

  • A simple tree-like query language that allows you to specify your own time markers.
  • Online processing of incoming data with minimal delay. Therefore, Google recommends using the API in interactive user applications.
  • Ability to process data arrays of different volumes (up to trillions of records) and work under high load (up to hundreds of thousands of requests per second).
  • Full integration with Google Cloud Storage, which provides access to the same data in different services of the platform.
  • More information about the work of the tool can be found in the documentation.

Google noted that the service will be useful for a wide range of industries. Retailers can analyze the impact of pedestrian traffic on the level of sales conversion, content providers - the popularity of materials to provide better personal recommendations.

Now the Cloud Inference API is already being used by Snap to analyze the data received through the Snapchat application.

Google Cloud is developing a number of cloud services. At the end of August 2018, the company updated the tools for converting speech to text and vice versa. Cloud Text-to-Speech received support for several new languages ​​and voices, and Cloud Speech-to-Text - recognition of several speakers, language and the ability to highlight important words