Google has announced that extremely serious vulnerability has been detected in the popular gaming app for Android called Fortnite.
The Fortnite installer could enable other installed applications on the device to exploit the vulnerability and manipulate installation process to download the malicious software instead of the actual Fortnite application.
Even though security researchers warned a software developer Epic Games about potential security risks, the company has announced that the popular gaming app Fortnite for Android will be available to download through its own app, instead of the official Google Play app store.
It is worth mentioning that users are recommended to download apps for Android only through the official Google Play app store. In addition, a user who wants to download an app outside of the Google Play store needs to adjust some of the security features on the device.
Security researchers at Google provided users with a proof-of-concept video which illustrates the potential attack taking advantage of a man-in-the-disk also known as MiTD vector.
In a nutshell, man-in-the-disk attacks allow malicious apps to manipulate the data of other apps held in the unprotected external storage before they read it, resulting in the installation of undesired apps instead of the legitimate update.
Google also has announced that the WRITE_EXTERNAL_STORAGE permission could be used to intercept the installation and replace the file with a malicious app instead.
According to a developer at Google, the Fortnite Installer performs the APK install silently via a private Galaxy Apps Api, on Samsung smartphones and tablets.
This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently, the fake APK with a matching package name can be silently installed. If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.
Patch Update available
Impacted only Samsung devices
The Fortnite installer was launched on Samsung devices exclusively, as a result, the flaw only affected the installer available on the Galaxy Apps store
The patch was introduced after 48 hours once the Google reported about the issue. Thus, users are highly recommended to install an updated version of the Fortnite installer version 2.1.0.
The company has not released any more information on this vulnerability. Thus, it is not clear if the flaw has been exploited in the wild or how many users have downloaded the vulnerable Fortnite Installer.