Google Researchers Find Dangerous Security Flaw in Fortnite’s Android App

Jordan Kadlec

Fortnite

Photo courtesy of TheNerdMag.com

Over the last eight months, Fornite has taken the gaming industry by storm. With its 100 player-versus-player, victory royale format, Fortnite has attracted gamers from all over the world. The video game, which is believed to be the first game to be available across all gaming platforms, generates an estimated $1 million per day. However, Google security researchers recently discovered a vulnerability in Fortnite’s Android app that’s causing some concern.

Man-in-the-Disk Attacks

The vulnerability, dubbed as Man-in-the-Disk (MitD) attacks, allows low-privileged malicious apps already installed on a user’s phone to hijack the Fortnite app’s installation process and install other malicious apps that have a higher permissions level.  

To better understand MitD attacks, cybersecurity firm Check Point recently released an article detailing what this kind of attack entails. MitD attacks are possible when an Android app stores data on External Storage mediums, outside its highly-secured Internal Storage space. An attacker can watch a specific app’s External Storage space and tamper with the data stored in this space because it is shared by all apps.

Fortnite’s Android app is vulnerable to this attack because the app does not contain the actual game but is merely an installer. Once users install the app, this installer uses the device’s External Storage space to download and install the actual game.

“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite installer will proceed to install the fake APK,” a Google researcher wrote in the bug report recently published. “If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite installer to instead install fake APK with any permissions that would normally require user disclosure.”

Epic Games Responds to Vulnerability

Epic Games, the developer of Fortnite, has since become aware and issued a patch for the vulnerability. However, Epic Games was extremely unhappy with Google making the vulnerability so public.

“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating unnecessary risk for Android users in order to score cheap PR points,” said Epic Games CEO Tim Sweeney on Twitter.

In a PR move of their own, Epic Games made gaming headlines by offering a “free dance” for all users who turn on two-factor authentication on the app to provide for higher security.

While this vulnerability has been patched and incentives are being offered for upping security on applications, Fornite shows the world what the future of gaming will be. Video games will be offered across all gaming platforms and, unfortunately, cybercriminals are going to attempt to sabotage these games in any way possible.

Share this: