Fortnite Android installer can let hackers add malware

0
29

Is Fortnite failing? No, we’re not making a final judgment yet but Epic Games has been experiencing a number of issues since its launch. The company decided to release Fortnite through its website via an installer, bypassing the Google Play Store. The game isn’t available in the Play Store because Epic believes “competition among software sources on Android” would be good. The decision may also have something to do with not sharing the revenue with the tech giant. You see, Google usually takes 30 percent of all purchases made within apps.

The popular game first came to iOS but it’s only this year the Android community is receiving Fortnite. Many people were excited about the release which first came to the Samsung Galaxy Note 9 and the Galaxy Tab S4. Epic Games then launched Fortnite on its official website as an installer.

An unexpected problem surfaced: the installer had a security flaw. This would allow a hacker or malicious actor to install any malware. That is a possibility as the case in any software. Google was quick to point Epic Game’s mistake of not distributing the game through the Play Store.

Unknown sources can take advantage of the situation and add security risk. We don’t want to imagine the worst that could happen but anything is possible.

Mobile games are better off released through a more proper channel like the Play Store because of specific features and protection. Google criticized Epic Games‘ move and looks like the download and installation process is now taking the heat.

Fortnite Battle Royale for Android

A Google engineer noted the installer could potentially allow an attacker since it starts as an APK then stored locally before launch. Any hacker could just bring in a new file named com.epicgames.fortnite to launch as a “man in the disk” attack as described. “Edward”, the Google engineer, said the problem could still be fixed easily and noted some items the game developer should have done or used.

This kind of vulnerability is real although there is no related report yet. Google was simply quick to notice the issue. The installer can beexploitedd to do any request from any bad guy.

This isn’t the first time we’re hearing about a Fortnite issue. Even before its official release, many devs were already coming up with fake apps and fake sites.

Epic has already worked on the problem. However, Google appears to be bent on noting Epic Games’ mistake of bypassing the Play Store. The issue is now on the Google Issue Tracker site even after Epic InfoSec requested the tech giant to wait before making the information public.

We see this as Google’s warning any app and game developers not to skip the Play Store–or else, they would experience Google’s wrath unwanted problems.

Here’s what Epic Games CEO Tim Sweeney has to say about the issue:

“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.

An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://ift.tt/2PBk1Mg

Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”

VIA: TechCrunch

via Android Community

August 26, 2018 at 10:39PM