Epic's first Fortnite Installer allowed hackers to download and install anything on your Android phone silently

Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic's first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user's knowledge. Google's security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.

In short, this was exactly the kind of exploit that Android Central, and others, had feared would occur with this sort of installation system. Here's what you need to know about the vulnerability, and how to make sure you're safe going forward.

What is the vulnerability and why is it so bad?

When you go to download "Fortnite" you don't actually download the whole game, you download the Fortnite Installer first. The Fortnite Installer is a simple app that you download and install, which then subsequently downloads the full Fortnite game directly from Epic.

The Fortnite Installer was easily exploitable to hijack the request to download the full game.

The problem, as Google's security team discovered, was that the Fortnite Installer was very easily exploitable to hijack the request to download Fortnite from Epic and instead download anything when you tap the button to download the game. It's what's known as a "man-in-the-disk" attack: an app on your phone looks for requests to download something from the internet and intercepts that request to download something else instead, unbeknownst to the original downloading app. This is possible purely because the Fortnite Installer was designed improperly — the Fortnite Installer has no idea that it just facilitated the malware download, and tapping "launch" even launches the malware.

In order to be exploited, you would need to have an app installed on your phone that was looking for such a vulnerability — but given the popularity of Fortnite and the anticipation of the release, it's highly likely that there are unsavory apps out there that are doing just that. Many times malicious apps that are installed on phones don't have a single exploit on them, they have a whole payload full of many known vulnerabilities to test, and this type of attack could be one of them.

With one tap, you could download a malicious app that had full permissions and access to all data on your phone.

Here's where things get really bad. Because of the way Android's permissions model works, you won't have to accept installation of an app from "unknown sources" beyond the time you accepted that installation for Fortnite. Because of the way this exploit works, there is no indication during the installation process that you're downloading anything other than Fortnite (and Fortnite Installer has no knowledge, either), while in the background an entirely different app is being installed. This all happens within the expected flow of installing the app from the Fortnite Installer — you accept the installation, because you think you're installing the game. On Samsung phones that get the app from Galaxy Apps, in particular, things are slightly worse: there isn't even a first prompt to allow from "unknown sources" because Galaxy Apps is a known source. Going further, that app that was just installed silently can declare and be granted every permission possible without your further consent. It doesn't matter whether you have a phone with Android Lollipop or Android Pie, or whether you turned off "unknown sources" after installing the Fortnite Installer — as soon as you installed it, you could potentially be attacked.

Google's Issue Tracker page for the exploit has a quick screen recording that shows just how easily a user can download and install the Fortnite Installer, in this case from the Galaxy Apps Store, and think they're downloading Fortnite while instead downloading and installing a malicious app, with full permissions — camera, location, microphone, SMS, storage and phone — called "Fortnite." It takes a few seconds and no user interaction.

Yeah, this is a pretty bad one.

How you can make sure you're safe

Thankfully, Epic acted quickly to fix the exploit. According to Epic, the exploit was fixed less than 48 hours after being notified and was deployed to every Fortnite Installer that had been installed previously — users simply need to update the Installer, which is a one-tap affair. The Fortnite Installer that brought the fix is version 2.1.0, which you can check for by launching the Fortnite Installer and going to its settings. If you for whatever reason were to download an earlier version of Fortnite Installer, it will prompt you to install 2.1.0 (or later) before installing Fortnite.

If you have version 2.1.0 or later, you're safe from this particular vulnerability.

Epic Games has not released information on this vulnerability outside of confirming that it has been fixed in version 2.1.0 of the installer, so we don't know whether it was actively exploited in the wild. If your Fortnite Installer is up to date, but you're still worried about whether you were affected by this vulnerability, you can uninstall Fortnite and the Fortnite Installer, then go through the installation process again to make sure that your Fortnite installation is legitimate. You can (and should) also run a scan with Google Play Protect to hopefully identify any malware if it was installed.

A Google spokesperson had the following comment on the situation:

User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue.

Epic Games provided the following comment from CEO Tim Sweeney:

Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play.

Google may have jumped the shark in Epic's mind, but this course of action clearly followed Google's policy for disclosure of 0day vulnerabilities.

What we learned from this process

I'll repeat something that's been said on Android Central for years now: it's incredibly important to only install apps from companies and developers you trust. This exploit, for as bad as it is, still required that you have both the Fortnite Installer installed and another malicious app that would make the request to download more damaging malware. With the massive popularity of Fortnite there's a great possibility that those circles overlap, but it doesn't have to happen to you.

This is exactly the kind of vulnerability we were worried about, and it happened on Day 1.

One of our concerns from the start with the decision to install Fortnite outside of the Play Store was that the game's popularity would overpower people's general good sense to stick to the Play Store for their apps. This is the kind of vulnerability that would very likely be caught in the review process of going onto the Play Store, and would be fixed before any large number of people downloaded it. And with Google Play Protect on your phone, Google would be able to remotely kill and uninstall the app if it ever made it out into the wild.

For its part, Google still managed to catch this vulnerability even though the app isn't being distributed through the Play Store. We already know Google Play Protect is able to scan apps on your phone even if they were installed directly from the web or another app store, and in this case that process was backed up by a talented security team at Google that found the vulnerability and reported it to the developer. This process typically happens in the background without much fanfare, but when we're talking about an app like Fortnite with likely tens of millions of installations, it shows just how seriously Google takes security in Android.

Update: This article has been updated with clarified information on the exploit, as well as a comment from Epic Games CEO Tim Sweeney.

Andrew was an Executive Editor, U.S. at Android Central between 2012 and 2020.

57 Comments
  • Yeah, this was expected. It was nice of Google to wait until they patched it before going public.
  • Ya cuz google would never wait like over a year to fix a bad exploitation google only jumped becouse there trying to make there platform look safer its not ive had apps from the play store steel my hole 20 gigs of data for the month in one hour i couldnt do that from my phone but they do not care i went without they said sorry nothing they could do but send them screens of it aah no not waisting my time to do your job
  • I get lost without punctuation lol
  • Then you should use them yourself.
  • His is understandable given its only a statement, and not a paragraph like the user he responded too.
  • It always helps if you clean your own house first.
  • I read this as the thought was going through my head that you had just chugged 10 red bulls and were on a sugar high. Use some periods, or a comma, or two, to make it a little easier for everyone to read and understand.
  • Yeah, this was a stupid idea not going through the play store.
  • Samsung missed the vulnerability!
  • GG Epic.
  • "However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable." Whatever Epic. Trying to dance around the Play store to save that Google cut and got burnt. It's your responsibility to make sure your hacky garbage is not a horrible trash fire where you are putting your users at risk. Pound sand.
  • Furthermore, they're lucky Google spent the time and resources to find this for them. Who knows how long this would have been out there being exploited with no users the wiser otherwise.
  • Most likely the reason Google did that, is because everybody is so quick to blame Google for any exploit on an Android phone, whether they're responsible or not. They were covering their ass as much as they were helping out Epic.
  • One could also imagine a setup, where one app was not able to completely hijack another app AND the whole phone... Had Google implemented a more selective access level instead of their usual all-or-nothing, this could be avoided completely.
  • Yeah, that's what I was thinking. Epic might have kept them from receiving a big pay day, but Google still has many users using that game to keep happy and people would point fingers at Google. They can't be spending their time on every future large release outside the store however. But they can work to keep things safe for this one.
  • Bottom line, it's users responsibility. If all of you want freedom and be able to download whatever you want suffer the consequences. This isn't Apple , nor Should it be. No babysitting needed.
  • It's a Google love fest in here
  • I wonder if the backdoor allows for a process that over heats the battery causing it to explode? Google Play Store for the win on this one!
  • LMAO
  • So this is just like any other Android vulnerability story: OMG! HUGE EXPLOIT! THE SKY ALMOST FELL! Truth? Zero people actually exploited. Companies worked together (as they should) to keep consumers safe. Whether it's Google, Apple, Samsung, or Epic, 99% of these stories are sensationalism. It's not like the Play Store itself has a clean safety record. Remember the University of Michigan study from last year? Pepperidge Farm remembers.
  • How do you know that nobody was affected by this vulnerability? Until Epic can release something that says so, nobody can say that for sure.
  • I'll just sit here and wait for the story that proves me wrong. Yeah, I could be; but I'm not the one reporting on this, and I'm sure the article wouldn't have missed something that significant. Or did it?
  • Totally overhyped, Just like every other exploit on Android. Great article but I've had standard & rooted phones for 10 years now, never had a problem . Not to say this won't happen but... ! ? Kind regards Richard U.K
  • I'm so glad that you posted an article on how to side install this 🤔
  • Great. Where do I sign up?
  • Perhaps if Google didn't gouge 30% of the purchase price for selling through the Play store, companies like Epic wouldn't feel the need to cut out the middleman. I'd guess that at around the 10% to 15% mark, Epic would be OK with it, but having Google cream off almost a third of the price, I don't blame them for trying an end run.
  • Not like Apple's any better here, same 30%. The difference is that publishing outside of Apple's app store isn't viable. At least Google only makes you pay once to publish.
  • True, plus playstore refund policies are ridiculous, users are not protected against badly developed and badly supported apps.
  • Mine downloaded to my Note 8 fine. I'm waiting for my Razer in invite. Fingers crossed their isn't some updated hack/ malware waiting in the wings
  • What Is the website called to get fortnite
  • epic games
  • "Google should [...] not endanger users in the course of its counter-PR efforts," says the developer who was endangering its users. Waaah! I also don't get how Google could endanger through protection in this case.
  • I think Tim Sweeney is drinking the Kool-Aid again. If Google really wanted to make counter-PR efforts against Epic for not releasing Fortnite on the Play Store, they would've just said nothing about the issue and left Epic (and users) to fend for themselves.
  • Yes, with potentially tons of broken phones as a result; I'm sure Google would LOVE that scenario... Not.
  • This wouldn't have happened if Epic just used the play store
  • You really don't know that though
  • Well it would've been far less likely to occur in the first place if Epic just used the Play Store. This is the sort of **** that always happens with unknown sources regardless of the implementation.
  • Dude, flashlight apps from the Play Store have done far worse. In fact, that's probably what the article is talking about when they say you already had to have a malicious app installed.
  • In the mean time, couldn't Google add a security fix to Android to prevent such a hack using this method?
  • Epic fail..but really, Android was actually the game's biggest opportunity and they did everything wrong.
  • Insert pic of Loser flashing the infamous Loser L on their forehead which clued the real world into the fast that gamers have less IQ than what they flush every day.
  • I guess you could say this was...... ...... an "Epic" oversight. YEEEEEEAAAAAAAAHHHHHHH!!!
  • I agree with - Darko Sam - this was an * Epic - Fail - moment*. Epic evidently used an outdated installer from another company. The CEO was actually more worried about revenue - or the loss of revenue - to warn their customers of a potential security risk. That should speak volumes of what 'Epic' considers a priority. A solid pass here...
  • Or just don't install fortnite because it's a shtty POS game that's a steaming pile of monkey garbage.
  • Then why is it so popular?
  • Because it came out of Kim Kardashian's extremely fat butt?
  • That's just lazy coding. It takes a few minutes of coding to verify code signature.
  • Mobile version is complete trash anyways. People imediately found ways to play in mobile lobbies from their PCs.
  • Correct me if I'm wrong but playing on console you are queued with PC players as well? (Or only if someone in your party is on PC does it allow PC players in the match?) I have yet to find clarification on how this works.
  • Correct. You only play with another platform if they are in your party. It is then the highest tier which you play in. Mobile tier
    Console tier
    Pc tier For example an Xbox player, mobile and a pc player all squad up they play on PC server. Mobile and Xbox squad up you play on Xbox. Only Xbox players squad up you play on Xbox. Only mobile, play on mobile etc.
  • Where do these malicious apps come from?
    Certainly google would have detected an app that can exploit this and block it from landing on their precious store.
    I guess the user would have to sideload both Fortnite AND the malicious app you just knew "was going to happen".
    Yes, publishing, when it could be assumed the fix would be rapid, was premature.
  • Well **** is my phone ok?
  • So, How do we know the updated installer is safe? How do we know someone hasn't hijacked the update process?
  • Gamers, the Walking Brain Dead.
  • Epic did a poor job with their code, endangering their users by making them install the app outside of the Play Store THEN blale google for communicating about the fkaw after the patch... No sense of responsibility! I won’t trust Epic and stay far from Fortnite on Android imo!
  • Both are being ridiculous.... "Epic shouldn't have done this" and "Google shouldn't have said anything" both are in the wrong and the person who gets **** on is us.
  • I install viruses as system apps just for fun.