Vulnerability spotted in Fortnite Android installer

Google identified the flaw, which has since been patched

After Fortnite for Android arrived independently of the Google Play Store, Google has revealed that a flaw in the game's installer left players' devices vulnerable to being hacked.

The news brings a measure of validation to the security experts who criticised game developer Epic's decision to bypass Google's distribution platform, warning that encouraging users to side-load Fortnite would expose them to unnecessary security risks.

Disclosed on Google's Issue Tracker site for Android developers, the bug in Epic's initial Fortnite installer for Android allowed malicious apps on phones to hijack the Fortnite installer in order to download and install malware. What's more, it let them do it in the background, meaning that an app didn't need to flag to users that it was downloading content to the device.

Google did contact Epic over the issue, allowing the developer to update the Fortnite installer on Android before Google went public with the vulnerability, although Epic CEO Tim Sweeney still called Google irresponsible for not waiting until more people had applied the update.

Fortnite on Android hack: What is the vulnerability?

When you download Fortnite for Android from Epic's website, you're actually just downloading an installer, rather than the full game. The Fortnite installer then does the heavy lifting, downloading the game in its entirety directly from Epic's servers.

Advertisement - Article continues below

The problem with this, as Google's security team discovered, is that Epic's Fortnite installer was easy to exploit. In theory, hackers could hijack the request from the Fortnite installer to Epic's servers and instead download something else when you tap the "download" button in the app.

This may not sound like much of an issue, but all it takes is one unsavoury app lying in wait on your phone to take advantage of this exploit. Given the popularity of Fortnite, and its highly anticipated release on Android, it's likely to be a target of hackers. 

What makes matters worse is that once you've given the Fortnite installer a chance to download an app in the background, it never needs to ask for permission to do so again. Because the Fortnite installer is a 'dumb' app, it doesn't know which servers it's downloading from, it just knows it's being used to download something, so it can't flag a dodgy install.

Google posted a proof-of-concept video showcasing just how easy it is for a user to think they're downloading Fortnite when, in actuality, they're downloading a malicious app to their phone. The video can be downloaded in .mp4 format here.

It should, of course, be noted that Google has a vested interest in finding vulnerabilities in Fortnite and its distribution. By releasing Fortnite for Android outside of the Play Store, Epic Games keeps the game's revenues for itself, without paying Google the 30% cut it demands for hosting apps in its own market. Fortnite was making $1.2 million per day on average when it first arrived on iOS.

If Epic is successful in distributing Fortnite outside the Play Store, it could lead other developers to jump ship too, so Google has an incentive to prove security experts' fears right.

Fortnite on Android hack: How to make sure your phone is safe

Those now concerned about downloading Fortnite on Android needn't be. Epic has stated that it fixed the exploit fewer than 48 hours after being alerted to the flaw. 

Those who currently use the original installer simply need to update to the latest version - 2.1.0 or newer. You can check to see if you're running this by launching the installer and heading to Settings. If you've somehow ended up installing an earlier version of the Fortnite installer, you won't be able to download Fortnite until you update to version 2.1.0.

If you're still worried about the vulnerability, you can uninstall Fortnite and its installer and reinstall them both. You should also run a scan with Google Play Protect to identify if any malware has been installed on your phone. You can do this by heading to the "My apps & games" section of the Google Play Store and tapping the "Play Protect" icon at the very top of your list of apps.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

The IT Pro Podcast: Is the future multi-cloud?

29 Nov 2019
Business strategy

Google accused of ‘union busting’

26 Nov 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019

Five signs that it’s time to retire IT kit

29 Nov 2019

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019