Epic Games’ decision to make its popular game Fortnite available on Android through its own website instead of Google Play Store seems to have backfired.
Google has publicly disclosed an extremely dangerous security flaw in Fortnite’s installer that allows attackers to download anything on an Android phone.
This flaw lets any app on your phone to download and install apps with full permissions granted, that too without the user’s knowledge.
How does this vulnerability work?
If you try to download Fortnite on your devices, it first downloads the Fortnite Installer which in turn downloads the full game directly from Epic.
This installer also looks for updates for the game, and since it takes permission from the user during installation, it no longer prompts the user about anything it installs from “unknown sources” in the background.
Now the problem was that the Fortnite Installer could be exploited very easily by hijacking the request to download updates from Epic’s server and download something else. This is also known as a “man-in-the-disk” attack.
However, it’s worth noting that such exploitation can take place if you have an app installed on your phone that looks for such a vulnerability.
Google’s security team notified this issue to Epic Games on August 15, and the gaming company didn’t waste time in patching up this flaw.
But given that Google is not really supportive of Epic’s decision to distribute the popular game from its own website instead of Play Store, the search engine giant wasted no time in exposing the flaw to the public.
In response, Epic said it was “irresponsible” on Google’s part to disclose the flaw so soon, as there are many installations that yet to be updated and are still vulnerable.
So in case you have the Fortnite Installer installed on your phone too, we suggest that you install the latest version.