Errors happen to everyone. However, those related to security can cause many problems for users of the application. That’s why Google employees are interested in how Android apps are protected. Recently, they found a bug in the Fortnite game installer, which could be used by cybercriminals to install any application (especially malicious) without the user’s knowledge.
Google has recently been criticized by Epic Games for the excessive level of commission on micropayments made through the Play store. That’s why Fortnite is distributed in a completely different way than most of the titles available on Android. Samsung owners can install it from Galaxy Apps. However, owners of other brands of smartphones must download the installer from the Epic Games website and allow installation of the application from an untrusted source. Fortunately, you do not have to activate the permission to install apk files from any source on new Android. However, the system of exceptions used in the Google system is vulnerable to attacks. The Fortnite and Galaxy Apps installers are treated by the system as a trusted source, which creates the risk of a Man-in-the-Disk attack. It involves interception of the file request by the external application, which is sent by the game installer. In this way, Fortnite can download and install any application, and the unsuspecting user will start it. Below you have a short recording that shows what this type of attack looks like.
Epic Games published the fix for Fortnite installer in less than 48 hours
Google engineers are serious about the security of Android users. Therefore, Epic Games employees were immediately informed of the vulnerability found. Epic Games has also behaved as it should. On the same day (August 15) the problem was passed to engineers who were to solve it. The next day, the attack method was recreated by Epic Games employees, who in a few hours developed a patch and began testing it. The revised installer (version 2.1.0) has been made available to users on August 17. Epic Games has asked Google not to publish information describing the error found for 90 days from the time the application was submitted. This is a standard policy used in this type of events. However, Google employees have referred to a different rule. She says that the Mountain View giant can share information related to the discovered vulnerability to the public 7 days after it has been patched. That is why, Google published on August 24 communication related to this case via the Google Issue Tracker platform.
Source: Google Issue Tracker, XDA-Developers, AndroidCentral