Vulnerability spotted in Fortnite Android installer

Google identified the flaw, which has since been patched

After Fortnite for Android arrived independently of the Google Play Store, Google has revealed that a flaw in the game's installer left players' devices vulnerable to being hacked.

The news brings a measure of validation to the security experts who criticised game developer Epic's decision to bypass Google's distribution platform, warning that encouraging users to side-load Fortnite would expose them to unnecessary security risks.

Advertisement - Article continues below

Disclosed on Google's Issue Tracker site for Android developers, the bug in Epic's initial Fortnite installer for Android allowed malicious apps on phones to hijack the Fortnite installer in order to download and install malware. What's more, it let them do it in the background, meaning that an app didn't need to flag to users that it was downloading content to the device.

Google did contact Epic over the issue, allowing the developer to update the Fortnite installer on Android before Google went public with the vulnerability, although Epic CEO Tim Sweeney still called Google irresponsible for not waiting until more people had applied the update.

Fortnite on Android hack: What is the vulnerability?

When you download Fortnite for Android from Epic's website, you're actually just downloading an installer, rather than the full game. The Fortnite installer then does the heavy lifting, downloading the game in its entirety directly from Epic's servers.

Advertisement
Advertisement - Article continues below

The problem with this, as Google's security team discovered, is that Epic's Fortnite installer was easy to exploit. In theory, hackers could hijack the request from the Fortnite installer to Epic's servers and instead download something else when you tap the "download" button in the app.

Advertisement - Article continues below

This may not sound like much of an issue, but all it takes is one unsavoury app lying in wait on your phone to take advantage of this exploit. Given the popularity of Fortnite, and its highly anticipated release on Android, it's likely to be a target of hackers. 

What makes matters worse is that once you've given the Fortnite installer a chance to download an app in the background, it never needs to ask for permission to do so again. Because the Fortnite installer is a 'dumb' app, it doesn't know which servers it's downloading from, it just knows it's being used to download something, so it can't flag a dodgy install.

Google posted a proof-of-concept video showcasing just how easy it is for a user to think they're downloading Fortnite when, in actuality, they're downloading a malicious app to their phone. The video can be downloaded in .mp4 format here.

Advertisement - Article continues below

It should, of course, be noted that Google has a vested interest in finding vulnerabilities in Fortnite and its distribution. By releasing Fortnite for Android outside of the Play Store, Epic Games keeps the game's revenues for itself, without paying Google the 30% cut it demands for hosting apps in its own market. Fortnite was making $1.2 million per day on average when it first arrived on iOS.

If Epic is successful in distributing Fortnite outside the Play Store, it could lead other developers to jump ship too, so Google has an incentive to prove security experts' fears right.

Fortnite on Android hack: How to make sure your phone is safe

Those now concerned about downloading Fortnite on Android needn't be. Epic has stated that it fixed the exploit fewer than 48 hours after being alerted to the flaw. 

Those who currently use the original installer simply need to update to the latest version - 2.1.0 or newer. You can check to see if you're running this by launching the installer and heading to Settings. If you've somehow ended up installing an earlier version of the Fortnite installer, you won't be able to download Fortnite until you update to version 2.1.0.

Advertisement - Article continues below

If you're still worried about the vulnerability, you can uninstall Fortnite and its installer and reinstall them both. You should also run a scan with Google Play Protect to identify if any malware has been installed on your phone. You can do this by heading to the "My apps & games" section of the Google Play Store and tapping the "Play Protect" icon at the very top of your list of apps.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/mobile/google-android/356398/google-maps-is-testing-traffic-lights
Google Android

Google Maps is testing traffic lights

9 Jul 2020
Visit/network-internet/email-providers/356388/how-to-share-your-google-calendar
email providers

How to share your Google Calendar

8 Jul 2020
Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/network-internet/web-browser/356359/google-chrome-86-update-could-add-28-to-your-battery-life
web browser

Google Chrome 86 update could add 28% to your battery life

6 Jul 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020