Home > Android > The first Android Fortnite Installer had a serious vulnerability

The first Android Fortnite Installer had a serious vulnerability

Android 10 Comments

Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic’s first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user’s knowledge. Google’s security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.

In short, this was exactly the kind of exploit that Android Central, and others, had feared would occur with this sort of installation system.

Everybody rang the alarm bells about Epic distributing its Fortnite game outside of the Play Store, asking users to enable installation from untrusted sources, and here we are – the warnings were justified. Incredible.

Don’t install this garbage unless you know what you’re doing. It’s clear Epic cares more about its bottom line than its – often very young – players.

About The Author

Thom Holwerda

Follow me on Mastodon @[email protected]

10 Comments

  1. 2018-08-24 10:48 pm
    missingxtension

    From what I understand, this is a beta invite only version. It was patched, and I dont know if there is an auto update in place.

    Facebook does auto updates outside the play store on android, thats fking creepy.

    Back to this gaming on android thing, lets pretend its a console and it happens….

    Shame on the developer!!!! They should have at at least, at the very minimum! submitted the app to the play store and run it through the process. A company that big should have a play store account.

    I think google and everyone has share the blame.

    This includes the user, your phone is not a console dammmit!!

    • 2018-08-25 5:21 pm
      Odwalla

      Facebook does auto updates outside the play store on android, thats fking creepy. [/q]
      Which has nothing whatsoever to do with the topic being discussed.

      Back to this gaming on android thing, lets pretend its a console and it happens….

      Shame on the developer!!!!

      Do I need to also pretend to understand what you’re trying to say? Because I do not understand the point you’re attempting to make. What does a console have to do with this? Epic has successfully submitted Fortnite to three different console platforms with no issues. A phone is a platform. Some are closed platforms (Apple) and others are open platforms (Google). Epic is doing what is allowed on an open platform. For what exactly should we be shaming them?

      They should have at at least, at the very minimum! submitted the app to the play store and run it through the process.

      A process that ends with Google automatically pushing the certified app to the Play Store; the one thing Epic worked to not have happen because of Google’s 30% revenue share. You’d expect Epic to code in Store support, knowingly waste Google’s time and money to go through certification and the what, call up and say “hey, thanks for that, but pull our app down from the store, we were just using you.”?

      A company that big should have a play store account.

      I’m curious, how do you feel we should measure company size if we’re going to force companies to join developer programs they don’t want to join. Would your authoritarian distribution of unwanted SDKs be based on yearly revenue? Or maybe employee count? How about total aggregate square footage of the company’s office space? What’s the penalty if a large company doesn’t join the Google developer program? Will there be leniency for large companies not involved in technology? Aigle is one of the top 10 largest textile producers in the world. They, more than likely, have no need for a Google developer account. Will they be exempt from your moronic idea?

      google and everyone has share the blame.

      What did Google do? It’s not their fault the people who wrote Epic’s installer made a security blunder. Google went out of their way to discover the issue and alert Epic. They went above and beyond what they had to do, because they want the Android platform to be trusted.

      [q]This includes the user, your phone is not a console dammmit!!

      My phone is my phone and you have no standing to try to tell me what I can and cannot use it for, you self righteous, ignorant, foul-mouthed, jerk. You really have some awful nascent dictatorial qualities about you. You want to force companies to do things and you feel you have the right to control what people do with their possessions.

      • 2018-08-26 6:45 pm
        missingxtension

        I’ll reply to you once I get a proper os/keyboard on my hands

        • 2018-08-29 12:25 pm
          Odwalla

          2 1/2 days later…

  2. 2018-08-25 1:27 am
    Licaon_Kter

    > Google still managed to catch this vulnerability even though the app isn’t being distributed through the Play Store

    Biggest game of the day decides to skip their store, and they casually scan their installer and find 0-days of sorts, yup… totally innocent…

    So, does Google detect apps from their store that “look for requests to download something from the internet and intercepts that request to download something else instead, unbeknownst to the original downloading app” making this a non-issue then?

  3. 2018-08-25 4:04 am
    ssokolow (Hey, OSNews, U2F/WebAuthn is broken on Firefox!)

    that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user’s knowledge. [/q]

    [q]Going further, that app that was just installed silently can declare and be granted every permission possible without your further consent.

    What I’d like to know is how this is allowed to bypass the OS-provided permissions prompts that I encounter every time I update an application installed by F-Droid . Does the Fortnight installer request every permission it thinks the game might ever possibly need and then implement its own promptless permissions system underneath that?

    Edited 2018-08-25 04:04 UTC

  4. 2018-08-27 2:30 am
    MadRat

    Seems like they knew the ramifications before publishing. The public that trusted them should be given a full account of who had the knowledge and any details of abuse.

    Seems convenient for sovereign entities marketing free stuff to ignorant masses to basically root their devices and steal their intellectual interests. The KGB and PRC have to love this conduit into American homes.

    • 2018-08-27 11:23 pm
      TheForumTroll

      What is this KGB you talk off? Kakadu Googlygook Bureau?

      Everyone knows that the US is the one listening to everything and stealing intellectual property. Even Kakadu Googlygook Bureau isn’t half as bad.

  5. 2018-08-27 2:48 pm
    jmorgannz

    The out of the ordinary thing here is not that a software provider deployed software to a user’s device that weakened it’s security and provided a new attack vector.

    This will be standard practise on platforms that do not certify/manage app installs (read, any OS that doesn’t use a ‘store’ model), and 99% of the time goes un-noticed.

    The out of the ordinary thing is that Google did some research and discovered it in Epic’s app, and promptly instigated having it fixed, making sure everyone knew it did so.

    Brilliant calculated political statement by Google given the discussion regarding app stores Epic had stirred.

    Edited 2018-08-27 14:51 UTC

  6. 2018-08-28 1:33 pm
    Munchkinguy

    I don’t understand, Thom. You’ve dedicated quite a bit of space on this website to editorializing against app stores like Google Play. Now you are criticizing Epic for not distributing their beta through Google Play?