hack

Fornite for Android installer vulnerable to MitD attacks

When Epic Games announced that they would be cutting out Google when distributing Fortnite for Android, there was major discussion on the interwebs regarding Android security concerns. Surprise, surprise but these concerns turned out to be legitimate, as the first Fortnite Mobile for Android installer came with a very serious vulnerability, which allowed installation of virtually any app, including malware or other nasty surprises.

Fortnite Mobile for iOS quickly achieved massive success when it was launched in March, but Android device owners were forced to wait for a few months before getting the game into their smartphones. Apple charge the same thirty percent but due to Apple’s security there is no way around using the Apple Store.

Epic was said to be unhappy with Google’s (standard) thirty percent cut if they used the Google Play Store, so the company took the decision to bypass the Google Play Store for the highly anticipated Android game. Epic released its own launcher for the game where users had to first download the installer, which in turn downloads the full game directly from Epic Games.

Google, probably seriously pissed off at the lack of revenue they would be losing from Epic’s decision, obviously monitored the Installer, and promptly discovered that the Fortnite installer was easy to exploit, with hackers able to hijack the request to download Fortnite Mobile from Epic Games.

Simply, Fortnite Android app is vulnerable to so-called man-in-the-disk (MitD) attacks. The “man-in-the-disk” attack tricks the installer app into thinking that it is downloading Fortnite Mobile, when it is instead downloading something else entirely.

Once the software is installed, instead of Fortnite Mobile, tapping on the installer to launch the game instead opens whatever else was installed – including possible malware.

Google discovered the vulnerability on the Fortnite installer app on August 15 and immediately notified Epic Games. Within 48 hours, Epic Games fixed the Fortnite installer and deployed it to all Android users who installed it. Epic requested Google to keep the exploit secret for 90 days to give Android owners time to update their Fortnite installer app.

However, according to Google’s policy, once the patch for an exploit it discovered is released, it will immediately share the details of the bug. After Epic fixed the problem, Google went ahead and published the bug’s details, ignoring the developer’s request.

Epic Games CEO Tim Sweeney accused Google of pulling a PR stunt.

“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” Sweeney said on Twitter.

Epic Games has released version 2.1.0 that patches this attack vector.