Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic's first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user's knowledge. Google's security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.
In short, this was exactly the kind of exploit that Android Central, and others, had feared would occur with this sort of installation system. Here's what you need to know about the vulnerability, and how to make sure you're safe going forward.
What is the vulnerability and why is it so bad?
When you go to download "Fortnite" you don't actually download the whole game, you download the Fortnite Installer first. The Fortnite Installer is a simple app that you download and install, which then subsequently downloads the full Fortnite game directly from Epic.
The Fortnite Installer was easily exploitable to hijack the request to download the full game.
The problem, as Google's security team discovered, was that the Fortnite Installer was very easily exploitable to hijack the request to download Fortnite from Epic and instead download anything when you tap the button to download the game. It's what's known as a "man-in-the-disk" attack: an app on your phone looks for requests to download something from the internet and intercepts that request to download something else instead, unbeknownst to the original downloading app. This is possible purely because the Fortnite Installer was designed improperly — the Fortnite Installer has no idea that it just facilitated the malware download, and tapping "launch" even launches the malware.
In order to be exploited, you would need to have an app installed on your phone that was looking for such a vulnerability — but given the popularity of Fortnite and the anticipation of the release, it's highly likely that there are unsavory apps out there that are doing just that. Many times malicious apps that are installed on phones don't have a single exploit on them, they have a whole payload full of many known vulnerabilities to test, and this type of attack could be one of them.
With one tap, you could download a malicious app that had full permissions and access to all data on your phone.
Here's where things get really bad. Because of the way Android's permissions model works, you won't have to accept installation of an app from "unknown sources" beyond the time you accepted that installation for Fortnite. Because of the way this exploit works, there is no indication during the installation process that you're downloading anything other than Fortnite (and Fortnite Installer has no knowledge, either), while in the background an entirely different app is being installed. This all happens within the expected flow of installing the app from the Fortnite Installer — you accept the installation, because you think you're installing the game. On Samsung phones that get the app from Galaxy Apps, in particular, things are slightly worse: there isn't even a first prompt to allow from "unknown sources" because Galaxy Apps is a known source. Going further, that app that was just installed silently can declare and be granted every permission possible without your further consent. It doesn't matter whether you have a phone with Android Lollipop or Android Pie, or whether you turned off "unknown sources" after installing the Fortnite Installer — as soon as you installed it, you could potentially be attacked.
Google's Issue Tracker page for the exploit has a quick screen recording that shows just how easily a user can download and install the Fortnite Installer, in this case from the Galaxy Apps Store, and think they're downloading Fortnite while instead downloading and installing a malicious app, with full permissions — camera, location, microphone, SMS, storage and phone — called "Fortnite." It takes a few seconds and no user interaction.
Yeah, this is a pretty bad one.
How you can make sure you're safe
Thankfully, Epic acted quickly to fix the exploit. According to Epic, the exploit was fixed less than 48 hours after being notified and was deployed to every Fortnite Installer that had been installed previously — users simply need to update the Installer, which is a one-tap affair. The Fortnite Installer that brought the fix is version 2.1.0, which you can check for by launching the Fortnite Installer and going to its settings. If you for whatever reason were to download an earlier version of Fortnite Installer, it will prompt you to install 2.1.0 (or later) before installing Fortnite.
If you have version 2.1.0 or later, you're safe from this particular vulnerability.
Epic Games has not released information on this vulnerability outside of confirming that it has been fixed in version 2.1.0 of the installer, so we don't know whether it was actively exploited in the wild. If your Fortnite Installer is up to date, but you're still worried about whether you were affected by this vulnerability, you can uninstall Fortnite and the Fortnite Installer, then go through the installation process again to make sure that your Fortnite installation is legitimate. You can (and should) also run a scan with Google Play Protect to hopefully identify any malware if it was installed.
A Google spokesperson had the following comment on the situation:
User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue.
Epic Games provided the following comment from CEO Tim Sweeney:
Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play.
Google may have jumped the shark in Epic's mind, but this course of action clearly followed Google's policy for disclosure of 0day vulnerabilities.
What we learned from this process
I'll repeat something that's been said on Android Central for years now: it's incredibly important to only install apps from companies and developers you trust. This exploit, for as bad as it is, still required that you have both the Fortnite Installer installed and another malicious app that would make the request to download more damaging malware. With the massive popularity of Fortnite there's a great possibility that those circles overlap, but it doesn't have to happen to you.
This is exactly the kind of vulnerability we were worried about, and it happened on Day 1.
One of our concerns from the start with the decision to install Fortnite outside of the Play Store was that the game's popularity would overpower people's general good sense to stick to the Play Store for their apps. This is the kind of vulnerability that would very likely be caught in the review process of going onto the Play Store, and would be fixed before any large number of people downloaded it. And with Google Play Protect on your phone, Google would be able to remotely kill and uninstall the app if it ever made it out into the wild.
For its part, Google still managed to catch this vulnerability even though the app isn't being distributed through the Play Store. We already know Google Play Protect is able to scan apps on your phone even if they were installed directly from the web or another app store, and in this case that process was backed up by a talented security team at Google that found the vulnerability and reported it to the developer. This process typically happens in the background without much fanfare, but when we're talking about an app like Fortnite with likely tens of millions of installations, it shows just how seriously Google takes security in Android.
Update: This article has been updated with clarified information on the exploit, as well as a comment from Epic Games CEO Tim Sweeney.