Security experts from Google found a vulnerability in the installation package of Fortnite for Android-smartphones. The application is vulnerable to Man-in-the-Disk (MitD) attack. It allowed to download and run any application with an unlimited number of privileges. The company-developer has already released version 2.1.0 with security fixes.
Researchers of the corporation published information about the problem in Google's bug-tracker on August 15, 2018. They became interested in the app after the publisher decided not to release the game in the Google app store, thereby deciding not to give the company 30% of the revenue for in-game purchases.
After it became known, profile publications like Android Central expressed concerns about the safety and usefulness of such an Epic strategy. The company promotes the game installer through its own site, and to launch it, it is necessary to put a checkmark in the box "Installing from unreliable sources" of the device settings.
Using the MitD vulnerability in the Fortnite installer, an attacker could download any program to the device, including malware. This was due to the peculiarity of external memory management in Android - it is used by all applications together. Because the mobile version of Fortnite does not contain the game itself, but loads additional files from the Epic Games repository, it leaves the external memory open to hackers.
Any app with the
WRITE_EXTERNAL_STORAGEpermission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK. If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.
After publishing the information in the bug tracking system, the researchers of the corporation informed Epic developers about the need to release the patch. The specialists made a report on the problem public on August 25, 2018, a week after the correction appeared in version 2.1.0.
Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google’s rapid public release of technical details. We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points. Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.
CEO, Epic Games
Another Battle Royale game - PlayerUnknown's Battlegrounds - also became the target of hackers. In April 2018, the researchers found a related ransomware.