Earlier this month, Epic Games announced non to brand its insanely pop game 'Fortnite for Android' available through the Google Play Store, but via its ain app.
Many researchers warned the fellowship that this approach could potentially set Android users at a greater risk, equally downloading APKs exterior of the Play Store is non recommended together with requires users to disable roughly safety features on Android devices equally well.
And it seems similar those fears together with concerns were true.
Google developers discovered a unsafe safety flaw equally shortly equally the Fortnite game launched on Android.
Fortnite Android Installer Vulnerable to Man-in-the-Disk Attack
In a nutshell, man-in-the-disk attacks permit malicious apps to manipulate the information of other apps held inwards the unprotected external storage earlier they read it, resulting inwards the installation of undesired apps instead of the legitimate update.
For those unaware, to install Fortnite on your Android phone, yous showtime demand to install a "helper" app (installer) that downloads Fortnite to your phone's storage together with installs it on your phone.
Google developers discovered that whatsoever app on your telephone amongst the WRITE_EXTERNAL_STORAGE permission could intercept the installation together with supervene upon installation file amongst another malicious APK, including i amongst sum permissions granted similar access to your SMS, telephone band history, GPS, or fifty-fifty camera—all without your knowledge.
"On Samsung devices, the Fortnite Installer performs the APK install silently via a somebody Milky Way Apps API. This API checks that the APK existence installed has the bundle bring upwardly com.epicgames.fortnite. Consequently, the mistaken APK amongst a matching bundle bring upwardly tin last silently installed," Google researcher said.
"If the mistaken APK has a targetSdkVersion of 22 or lower, it volition last granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a mistaken APK amongst whatsoever permissions that would unremarkably require user disclosure."
Patch Update for Fortnite for Android Installed
Since the showtime version of the Fortnite installer was alone launched on Samsung phones, the vulnerability only affected the Fortnite installer available through the Milky Way Apps store, together with non the version made available for non-Samsung devices.
Google discovered together with reported the vulnerability on fifteen August to Epic Games, which confirmed its existence, together with issued a piece inside merely 48 hours amongst the unloosen of version 2.1.0 of the Fortnite installer.
However, too thanking Google for sharing the põrnikas details, Epic Games CEO Tim Sweeney also criticized researcher for publicly disclosing the vulnerability inside vii days rather than waiting xc days.
"We asked Google to concur the disclosure until the update was to a greater extent than widely installed. They refused, creating an unnecessary jeopardy for Android users inwards society to grade inexpensive PR points," Sweeney tweeted.
"But why the rapid world unloosen of technical details? That does cipher but plow over hackers a adventure to target unpatched users."
For users' part, Fortnite players are highly recommended to update their installer to the latest version 2.1.0. If yous accept already updated but are nonetheless worried most the impact, uninstall together with reinstall Fortnite for Android together with start in i lawsuit again from scratch.
Since Epic Games has non released to a greater extent than information on this bug, it is unclear whether the flaw was actively exploited inwards the wild together with how many people downloaded the flawed Android APK.
