Vulnerability spotted in Fortnite Android installer

Google identified the flaw, which has since been patched

After Fortnite for Android arrived independently of the Google Play Store, Google has revealed that a flaw in the game's installer left players' devices vulnerable to being hacked.

The news brings a measure of validation to the security experts who criticised game developer Epic's decision to bypass Google's distribution platform, warning that encouraging users to side-load Fortnite would expose them to unnecessary security risks.

Disclosed on Google's Issue Tracker site for Android developers, the bug in Epic's initial Fortnite installer for Android allowed malicious apps on phones to hijack the Fortnite installer in order to download and install malware. What's more, it let them do it in the background, meaning that an app didn't need to flag to users that it was downloading content to the device.

Google did contact Epic over the issue, allowing the developer to update the Fortnite installer on Android before Google went public with the vulnerability, although Epic CEO Tim Sweeney still called Google irresponsible for not waiting until more people had applied the update.

Fortnite on Android hack: What is the vulnerability?

When you download Fortnite for Android from Epic's website, you're actually just downloading an installer, rather than the full game. The Fortnite installer then does the heavy lifting, downloading the game in its entirety directly from Epic's servers.

The problem with this, as Google's security team discovered, is that Epic's Fortnite installer was easy to exploit. In theory, hackers could hijack the request from the Fortnite installer to Epic's servers and instead download something else when you tap the "download" button in the app.

This may not sound like much of an issue, but all it takes is one unsavoury app lying in wait on your phone to take advantage of this exploit. Given the popularity of Fortnite, and its highly anticipated release on Android, it's likely to be a target of hackers. 

What makes matters worse is that once you've given the Fortnite installer a chance to download an app in the background, it never needs to ask for permission to do so again. Because the Fortnite installer is a 'dumb' app, it doesn't know which servers it's downloading from, it just knows it's being used to download something, so it can't flag a dodgy install.

Google posted a proof-of-concept video showcasing just how easy it is for a user to think they're downloading Fortnite when, in actuality, they're downloading a malicious app to their phone. The video can be downloaded in .mp4 format here.

It should, of course, be noted that Google has a vested interest in finding vulnerabilities in Fortnite and its distribution. By releasing Fortnite for Android outside of the Play Store, Epic Games keeps the game's revenues for itself, without paying Google the 30% cut it demands for hosting apps in its own market. Fortnite was making $1.2 million per day on average when it first arrived on iOS.

If Epic is successful in distributing Fortnite outside the Play Store, it could lead other developers to jump ship too, so Google has an incentive to prove security experts' fears right.

Fortnite on Android hack: How to make sure your phone is safe

Those now concerned about downloading Fortnite on Android needn't be. Epic has stated that it fixed the exploit fewer than 48 hours after being alerted to the flaw. 

Those who currently use the original installer simply need to update to the latest version - 2.1.0 or newer. You can check to see if you're running this by launching the installer and heading to Settings. If you've somehow ended up installing an earlier version of the Fortnite installer, you won't be able to download Fortnite until you update to version 2.1.0.

If you're still worried about the vulnerability, you can uninstall Fortnite and its installer and reinstall them both. You should also run a scan with Google Play Protect to identify if any malware has been installed on your phone. You can do this by heading to the "My apps & games" section of the Google Play Store and tapping the "Play Protect" icon at the very top of your list of apps.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Apple reportedly ramps up search engine development
iOS

Apple reportedly ramps up search engine development

29 Oct 2020
Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020
36 billion personal records exposed by hacks in 2020 so far
Security

36 billion personal records exposed by hacks in 2020 so far

29 Oct 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Politicians need to stop talking about technology
Policy & legislation

Politicians need to stop talking about technology

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020