Fortnite for Android’s installer left devices briefly vulnerable to exploits

Fortnite made its Android debut a few weeks ago and chose to avoid the Google Play Store citing high minded principles of openness and “$uc£$$ ba$£d on m£rit.”

However, critics pointed out that Epic encouraging users to bypass the Google Play Store for their own solution could lead to trouble later down the line. A Google engineer posted a proof of concept of just one of the ways users could be adversely affected to the issue tracker earlier in the month, saying:

Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK.

On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed.

If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure

In plain English, this means that anyone can place an APK which is simply named com.epicnames.fortnite and Fortnite’s Installer app will grab and install it automatically. Thanks to Google pointing out the update, Epic games was able to release a patch to the installer to prevent any such exploits from running. Google later unrestricted the issue so other parties could see it, but only after it had been patched for all supported versions of Android.

Source: Google via TechCrunch.

Comments