Thursday , September 20 2018 Ausdroid » News » It turns out the Fortnite installer had a vulnerability, but it’s been patched already

Epic Games’ decision to distribute Fortnite outside of the Google Play ecosystem was bound to get people’s attention, and though I earlier said this probably wouldn’t cause issues, it seems I wasn’t entirely right. A technical vulnerability was discovered – by Google, no less – and patched fairly well immediately by Epic. To date, there’s no information to suggest the vulnerability was actually exploited by anyone, given it wasn’t publicly discussed until it was fixed, but who knows.

What was the vulnerability?

As discussed earlier, Fortnite doesn’t download from Google Play. Rather, users download Fortnite’s installer from Epic’s website, and that installer app in turn downloads Fortnite. Nothing really exciting about this, except that there was much kvetching in the tech-nerd space about what a poor decision (or a greedy one, perhaps) this was on behalf of Epic.

The vulnerability came about because Epic had been a bit careless about how it handled the installation of its primary game; due to the size of the downloaded app, no doubt, it is downloaded to External Storage before it is then installed by the Installer service.

This leaves the process open to exploitation; a malicious app could insert its own APK file into the process stream, and trick the Epic Installer into installing said APK.

If this occurred, that malicious app could install silently, without notice to the user, and (likely) with full permissions, regardless of Android’s permission model. You trusted the installer, so you trust whatever it installs. Some say this means Epic’s process is broken, but if you ask me, this is a bigger problem and something that Android probably needs to address, too.

Did it matter?

Arguably, but probably not. For this vulnerability to have even a remote chance of being exploited, a user would have to have both (a) installed the Fortnite installer and (b) installed some other malicious app which was specifically designed to exploit the vulnerability in Fortnite’s installer.

Let’s stop for a moment.

Most users do not install apps from outside the official Google Play store process, and those who install Fortnite make an exception to that generalisation. However, they would need to have either (a) installed some other malicious app from outside the Play Store, or (b) been unlucky enough to install some malicious app from Google Play which somehow missed being detected by Google’s pretty capable malware scanning process.

In short, it’s a fairly remote possibility at best.

So, while not a great vulnerability to have put out in the wild, it’s one that doesn’t seem terribly likely to have been actually exploited.

What’s the rub?

Fortnite players probably don’t need to panic. There’s a new Fortnite Installer out (version 2.1.0) and chances are you’ve already got it. If you don’t, open up the Installer, hit Settings and check for a new update.

If you don’t have the new version, I’d suggest you install it now.

You should also check your Google Play Protect settings to make sure you’ve got scanning turned on; if you do (and have done), chances are anything which might’ve exploited Fortnite’s installer would’ve been detected and dealt with before you even read this article.

Chris Rowland   Director / Editor (Ex-Officio)

Chris has been at the forefront of smartphone reporting in Australia since smartphones were a thing, and has used mobile phones since they came with giant lead-acid batteries that were "transportable" and were carried in a shoulder bag.

Today, Chris publishes one of Australia's most popular technology websites, Ausdroid. His interests include mobile (of course), as well as connected technology and how it can make all our lives easier.

2
Join the Ausdroid Conversation

avatar
1 Comment threads
1 Thread replies
2 Followers
 
Most reacted comment
Hottest comment thread
2 Comment authors
NarbettDean Rosolen Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Dean Rosolen
Ausdroid Reader
Dean Rosolen

And this is why you distribute your Android apps through the Play Store.

Narbett
Guest
Narbett

I agree – though, evidence wise, a single low-stakes, fixed vulnerability is not by itself worth a 30% loss of income to Epic.

We’ll see if more occur though + issues with ppl being duped by fake download sites (which is my theory of why it’s a bad move).

Check Also

Samsung Galaxy A7 (2018) now official with triple rear cameras

It looks like Samsung has stepped onto the triple rear camera sensor bandwagon, though it’s …