Epic’s first Fortnite Installer had a major security flaw
With news that Epic Games will create their own installer on Android for Fortnite instead of offering it on Google Play, came the fear of security issues. That fear was then realized when Epic Games and Google confirmed that the first version of the Fortnite Installer came with a major security flaw.
That major flaw allowed hackers and malicious apps to silently install anything on a user’s phone. This includes apps with full permissions. So, here is how it all happened. To download Fortnite you would have to first download the Fortnite Installer, which will then get the game for you. According to Google’s security team, the Fortnite Installer can easily be hijacked and commanded by another APK to install another app despite it thinking it’s still downloading Fortnite.
What the exploit does is that the malicious APK (any with the WRITE_EXTERNAL_STORAGE permission) intercepts the Fortnite Installer’s installation of the legit game and substitutes it with a different APK. The Fortnite Installer will still think that it is downloading Fortnite despite the last minute interception.
It’s even worse with Samsung devices as the Fortnite Installer performs the installation silently via the Galaxy Apps API. The API checks if the APK being installed has the package name “com.epicgames.fortnite” then proceeds with the installation, which means any app with the said package name can be installed silently, even if it’s not Fortnite.
Then according to Google, if the fake APK has a targetSdkVersion of 22 or lower, the app will be granted all the permissions it requests upon installation. All of this will happen without users even having a chance to allow the fake APK’s permission requests because the Fortnite Installer does all the checking. Again, this exploit will only work if you have both a malicious APK and the first Fortnite Installer.
User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue. — Google Spokesperson
Epic Games though has since fixed the issue with the release of version 2.1.0 of the Installer. The Fortnite Installer will also notify users if they are using an earlier version before proceeding with the download of Fortnite. So, we advise anyone who has downloaded the first version of the Installer to update to version 2.1.0 immediately. Apart from that, we also once again urge readers to only download apps from official and legit sources.
source: Google Issue Tracker
via: Android Central