Fortnite is an extremely popular video game that people of all ages play. Epic Games had said earlier this year that they were going to release their own app for Android users rather than make it available via the Google Play Store. Researchers warned Epic Games of the dangers that this could have for Android users because users would have to disable certain security features. Epic Games did not listen and the researchers ended up being correct. A dangerous flaw was discovered in the Fortnite installer for Android that could allow other apps that are installed on the targeted devices to manipulate the installation process and install malware rather than the APK. Fortnite for Android was vulnerable to a man-in-the-disk attack. In order for Android users to install Fortnite on their mobile device, the user needs to install a “helper” app which installs Fortnite to the device’s storage. Any app on the device with the “WRITE_EXTERNAL_STORAGE” permission can intercept the installation and replace the installation file with a malicious APK. This includes one with full permissions granted which could allow attackers to access SMS, GPS, camera, or call history without knowledge to the user. According to researchers, “on Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently, the fake APK with a matching package name can be silently installed.” A patch was released on August 15th for version 2.1.0 of the Fortnite installer. Users are urged to update as soon as possible.
