Fortnite Vulnerability Pits Epic Games Against Google

by Chris Brook on Thursday August 30, 2018

Contact Us
Free Demo
Chat

A flaw in Epic Games' Fortnite Android installer could have allowed an attacker to silently install malware on devices. The company's CEO took umbrage with the way Google disclosed the vulnerability this week.

Tim Sweeney, the CEO and founder of Epic Games, the company behind this year's massively popular game Fortnite, has a bone to pick with Google.

Sweeney railed against the company earlier this week, specifically with the way Google disclosed a vulnerability in Fortnite's Android installer.

The issue, which Google researchers initially outlined on August 15, could have allowed an attacker to theoretically hijack Fortnite's installer APK and replace it with a malicious, fake version of the APK.

“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified,” a Google researcher wrote earlier this month in a post on the company’s bug tracking site, “This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK.”

According to Google the vulnerability is similar to a man-in-the-disk attack, an attack surface disclosed by Check Point researchers at DEF CON several weeks ago that’s tied to a shortcoming in the way Android apps handle external storage.

While Epic Games was diligent in patching the flaw – it pushed a fix to resolve the issue on August 17 – the company urged Google to wait before publicly disclosing the issue.

“We would like to request the full 90 days before disclosing this issue so our users have time to patch their devices,” Epic’s information security department asked Google on August 16.

Instead of waiting 90 days, Google disclosed the issue last Friday, after just seven days.

“As mentioned via email, now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google's standard disclosure practices,” Google wrote on Friday, making the issue tracker ticket public.

Blog Post

8 Tips for Securing Your Mobile Device
READ NOW

While Epic Games didn’t publicly respond to Google’s issue tracker, Sweeney took umbrage with the disclosure.

"We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points," Sweeney tweeted over the weekend, adding that he thought the company acted irresponsibly by rapidly releasing technical details around the vulnerability.

It could be said the company opened themselves to controversy before it even released the game on Android. The company made a decision at the beginning of August to bypass Google and not distribute Fortnite through its Play Store marketplace. Instead – and this is still the case – Android users need to download an installer directly through Fortnite's website, then install the game on devices.

The strategy almost immediately invited criticism, especially from security experts who called the decision risky. Android devices require users to manually change the security settings on their devices in order to sideload apps from non-Google Play sources, also known as “unknown sources.” While Sweeney said this wasn't the case for users running the latest Android version, 8.0, "Oreo," according to metrics, the number of Android users not on Oreo far outweighs those who are, opening the door for malware, spyware, and other malfeasance.

Tags:  Mobile Security

Related Blog Posts

Recommended Resources

The Definitive Guide to DLP

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
Get the Guide

The Definitive Guide to Data Classification

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
Get the Guide