Google Found A Serious Security Flaw In Fortnite Installer For Android

Epic Games has released Fortnite Battle Royale on both major mobile platforms

Epic Games has released Fortnite Battle Royale on both major mobile platforms

In brief: Earlier this month, rumors that Epic Games wanted to avoid Google's 30 percent revenue cut by distributing the Android version of Fortnite outside the Play store proved to be true.

To be clear, the wayward app in question isn't Fortnite for Android itself but the Fortnite Installer for Android.

On Samsung Experience devices such as the Galaxy S8+, Note 9, and the Tab S4, Fortnite is distributed via the Samsung Galaxy Apps store.

Google apparently noticed the issue and told Epic Games about it back on August 15th, with Epic having now patched its software to prevent the issue from continuing. Google discovered the flaw on Wednesday, August 15. This is also known as a "man-in-the-disk" attack. The vulnerability took advantage of the fact that rather than just installing Fortnite directly, you first have to download an installer which then downloads the necessary bits for you.

While it's certainly not 100 percent safe, the Google Play Store does offer some protections, and sideloading the Fortnite installer means allowing installations from unknown sources-something that's not recommended, especially as some users may forget to disable the permissions afterward.

To further detail the vulnerability, Google also provided a proof-of-concept video of the attack on a Samsung smartphone.

Ant Financial, Tencent to Bolster Checks of Accounts Involved in Crypto Trading
Alipay is also planning to educate its users about the risks involved in cryptocurrency trading. Alipay isn't the only financial transaction firm that is monitoring online transactions.

Even though the company has no legal or financial stake in the matter, Google recently discovered an exploit in Fortnite's mobile version code that could be hacked. After the completion of the process, the user is seen to be tapping on "Launch", only to find a random app open.

XDA Developers provides an articulate context of what went wrong with the Fortnite installer. The Fortnite installer has to be downloaded from the Fortnite website instead.

The original installer app downloaded the Fortnite installer first, a simple app that would then download the full game directly from Epic. And as the Fortnite installer only checks the name of the APK, any file called "com.epicgames.fortnite" would be installed.

"However, Epic Games" developers quickly jumped on the issue to work on a fix and they deployed one soon. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure. However, much to Epic Games' chagrin, Google disclosed the vulnerability within 7 days of its discovery without heeding to Epic Games' request for the usual 90 day window.

As a result, Epic CEO Todd Sweeney issued a statement to Android Central.

"Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play". In fact, Google made a decision to take a very hard look at the installer Epic Games was using for Fortnite and it found a massive security flaw.

Recommended News

  • Pope says will not respond to allegations of abuse cover-up

    Pope says will not respond to allegations of abuse cover-up

    Church officials of covering up the case of Cardinal Theodore McCarrick , who resigned last month in disgrace. McCarrick was also one of the Vatican's intermediaries in the U.S. -Cuba talks in 2014.
    French Open Bans Serena Williams’ Black Catsuit, Twitter Weighs In

    French Open Bans Serena Williams’ Black Catsuit, Twitter Weighs In

    For the first time since Wimbledon in June 2017, a tournament will have the entire Big Four in the men's field: five-time U.S. If you do not now have a subscription with Amazon, you can get a free 30-day trial of Amazon Prime by registering an account.
    Return of big names bolsters U.S. Open men's draw

    Return of big names bolsters U.S. Open men's draw

    Another great moment of tennis when Arthur Ashe won his first, unforgettable Slam title, in front of his home-crowd. In fact, there isn't a single player in his entire half that Nadal would be particularly concerned about.
  • MotoGP: Weather forces cancellation of MotoGP's Silverstone round

    MotoGP: Weather forces cancellation of MotoGP's Silverstone round

    Conditions were atrocious and organisers were always going to err on the side of caution after Tito Rabat was badly injured in the fourth practice session of the weekend on Saturday.
    DJI Reveals New Mavic 2 Drones With Upgraded Cameras and Zoom Lenses

    DJI Reveals New Mavic 2 Drones With Upgraded Cameras and Zoom Lenses

    Both include a more aerodynamic fuselage for less noise, faster speeds, and longer, more energy-efficient flight. These functions allow the drone to create moving time-lapse images when the drone covers a large distance.
    Kobe Bryant Expects LeBron-Hating Lakers Fans To ‘Fall In Line’

    Kobe Bryant Expects LeBron-Hating Lakers Fans To ‘Fall In Line’

    This will help the coaches and other team staffs find the areas they need to improve on a player's game. "He looks great man". But he can shoot the ball, and he has worked on his mid-range game a lot. "I'm looking forward to him having a good year".
  • Almost  800000 pay for YouTube's bout between Logan Paul and KSI

    Almost 800000 pay for YouTube's bout between Logan Paul and KSI

    Barry Williams ?) and stepping into the boxing ring for a pay-per-view fight in England's Manchester Arena this weekend. Olajide "JJ" Olatunji) are following in the footsteps of Tonya Harding and Paula Jones (or perhaps Danny Bonaduce vs.
    Vikings acquire veteran offensive lineman in trade with Giants

    Vikings acquire veteran offensive lineman in trade with Giants

    Elflein is now on the PUP list, but Zimmer responded "No, I don't think so" if Elflein would start the season on the PUP list. But with the final preseason game just four days away, that's where Elflein remains as questions mount regarding his status.
    Everton winger Bolasie joins Aston Villa on loan

    Everton winger Bolasie joins Aston Villa on loan

    The summer signings of Richarlison and Bernard means Bolasie has found himself further down the pecking order at Goodison Park. Aston Villa confirm that they have completed the season-long loan signing of Everton winger Yannick Bolasie .
  • Dead In Madden Tournament Shooting In Jacksonville, Florida

    Dead In Madden Tournament Shooting In Jacksonville, Florida

    The bullet hit my thumb. "He managed to escape and run down the street to a nearby gym", director Jason Lake told AFP. The NFL said in a statement, "We are shocked and deeply saddened by the horrific tragedy today in Jacksonville ".
    VW accused of ruining crops by using weather-altering technology

    VW accused of ruining crops by using weather-altering technology

    According to them, the plant was installed hradobiynoyu guns, which defended the new cars parked next to the enterprise from hail. It also pledged to invest in protective mesh to serve as its first line of defense against hail.
    Homeless Samaritan can't get GoFundMe money

    Homeless Samaritan can't get GoFundMe money

    He also claims D'Amcio had spent some of his donations on gambling, but the pair insist they have been using their own money. Bobbitt did admit to swiftly spending the $25,000, but says he sent it to family and friends-and used some of it on drugs.

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.