Epic's First Fortnite Installer Allowed Hackers To Covertly Download and Install Anything on Users' Android Phones, Google Researchers Say

Epic decided to ditch Google Play Store for its sleeper hit Fortnite. By doing so, while Epic may have saved some money that it would have had to split with Google, it also ran into an issue that it could have avoided had it not parted ways with Google. AndroidCentral reports: Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic's first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user's knowledge. Google's security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.

[...] When you go to download "Fortnite" you don't actually download the whole game, you download the Fortnite Installer first. The Fortnite Installer is a simple app that you download and install, which then subsequently downloads the full Fortnite game directly from Epic. The problem, as Google's security team discovered, was that the Fortnite Installer was very easily exploitable to hijack the request to download Fortnite from Epic and instead download anything when you tap the button to download the game. It's what's known as a "man-in-the-disk" attack.

That's just Epic's stupid way of doing things

They have an installer for everything, or a "launcher" which is an repackaged web browser that downloads things for you or lets you access their web store for content.

Epic could let you just download directly from your browser but then the walled garden Apple wanna-be aspirations would be gone.

Re: That's just Epic's stupid way of doing things

There's an idea, they make tablets just to play Fortnite and nothing else.

Walled gardens

So glad its not walled

download and install anything in the background?

I swear, it's like our surveillance devices (phones) are deliberately being compromised. I know it sounds like tinfoil hat territory, but in this day and age it should be rare and unusual news when this kind of thing happens, not a daily occurrence.

Doesn't CaptainDork play Fortnite a lot?

I wonder what he has to say.

not just fortnight.

[nimbius]

When you go to download "Fortnite" you don't actually download the whole game, you download the Fortnite Installer first.

so this is actually a common method for a lot of applications in the play store as well. its the lazy app developers "curl|sudo /bin/bash" approach to installation. The difference being many of these other apps paid their play store fe--er, i mean those applications are protected by Google.

Re: not just fortnight.

Yeah it is stupid to make sure the apps are safe. It should be a free service. College for all, free medical care, diners that stay open for nostalgia while losing cash, you know the old smash and grab politics of the left. Wave the flag get your head beat in because fascism or whatever they hate today. But it has to be free see.

Re: not just fortnight.

You seriously need to grow up and read a book.
And stop listening to Fox News

Re: not just fortnight.

[blahplusplus]

Yeah it is stupid to make sure the apps are safe. It should be a free service. College for all, free medical care, diners that stay open for nostalgia while losing cash, you know the old smash and grab politics of the left. Wave the flag get your head beat in because fascism or whatever they hate today. But it has to be free see.

Gee it's shit like this that makes me think the world has gone downright insane, there is no real left wing movement in america. There is one party, the party of big business with it's two wings republicans and democrats.

Indeed america is filled with raging communists given the bottom 80% of society holds a meager 5% of the total financial wealth of the economy.

https://whorulesamerica.ucsc.e...

If numbers and science were anything to go by, if you are working class or poor and aren't left wing and american, you are pretty damn uninformed. But that's america for ya.

George carlin said it best about american citizens:

https://www.youtube.com/watch?...

Re:not just fortnight.

Explain how on Android one app can install apk of different app with full permissions without even notifying user.
Sounds like shitty security.

Re: not just fortnight.

When you complain that other people are wealthier than you, you are just being a jealous ass.
If you have enough to eat, if you have a home, clothes... then whining that someone else has more food, or better clothes, is just pathetic.

I don't give a fuck that I'm in the bottom 80% of the US wealth distribution. Who cares that Musk and Brin can buy thousands of hookers and tons of blow? Are you really so small-minded that the thought of someone else having more than you makes you so angry?

If you are starving, if you are homeless - THEN you can complain. But petty envy just proves how shallow and pitiful an existence you are.

Re: not just fortnight.

If you think that wealth inequality and collusion of capital and politics is about jealousy over clothes, you might as well excuse yourself from future discussion.

Re: not just fortnight.

The bottom 80% of society in the US is far better off than most of the world.

The fact that the top percentages in the US owns a lot of wealth, is because the US has been incredibly successful at creating wealth.

Leftists are near-universally psychopaths. Any well-known political gathering of leftists scores towards the top of the medical scale of psychopathy: http://www.minddisorders.com/Flu-Inv/Hare-Psychopathy-Checklist.html

glib and superficial charm
grandiose (exaggeratedly high) estimation of self
need for stimulation
pathological lying
cunning and manipulativeness
lack of remorse or guilt
shallow affect (superficial emotional responsiveness)
callousness and lack of empathy
parasitic lifestyle
poor behavioral controls
sexual promiscuity
early behavior problems
lack of realistic long-term goals
impulsivity
irresponsibility
failure to accept responsibility for own actions
many short-term marital relationships

Check Hollywood up against this.

And the effect is that when leftists get enough power to put their plans into action without a real opposition, society becomes some dystopian horror movie.

You could also check this against Trump.....

Re: not just fortnight.

[Maritz]

Do you argue against real points, or just this embarrassing straw man shit? I mean, I'm cringing for you, it's that fucking pathetic. Find some shame from somewhere, people might start liking you more.

it's like a boot disk...

[MJhasHIV]

or something

Just another Epic stupid way of doing things?

Wanna see a stupid way of doing things? https://www.cnbc.com/2018/08/24/trump-paid-michael-cohen-more-than-what-he-stated-in-financial-disclosure.html

Another? https://www.washingtonpost.com/opinions/tax-crimes-brought-down-al-capone-what-about-trump/2018/08/23/996cea04-a710-11e8-8fac-12e98c13528d_story.html

Google-focused much?

So a big-time publisher decides to avoid the 30 percent Troll (google) tax for their app.. and suddenly Google is there to the rescue to immediately identify an issue that hundreds of publishers already know and have dealt with in the past. This article is directly supporting the bottom line of the walled-garden methodology. The wall-owner is hell-bent on letting world+dog on why their wall is the best wall and if you don't like the wall.. and won't pay for the wall... you are somehow complacent in a lack of good judgment.

Peace out.

Re:Google-focused much?

Pretty sure this issue has nothing to do with avoiding play store. Read advisory https://issuetracker.google.com/issues/112630336
It's the official play store app that doe this second stage download. A lot of large apps do it.

can I say...

[shentino]

Epic Fail?

So generic installer, lets apps install software

So a generic installer for a game allows other apps to install additional software.

If an app is using the Fortnight/Epic installer, your phone has already been compromised--pretty much a non-issue

Re:googles own damn fault.

Maybe Google should offer a reverse progressive "store tax", but then the smaller developers would freak out about it. Cost plus 20% would be reasonable, but then Google would reveal its costs to the competitors. 30% of the app price should really be too much for any publicly listed company that wants to generate revenue and profit. Something must be done.

Re: not just fortnight, KILL ACTUAL NAZI SCUM

That's just what these RIDICULOUS NAZI FAGGOTS want you to think, their whole thing is being faggots online to demoralize "the left" lol. You're looking at it wrong, it's fucking hilarious.

When Trump hangs they'll know too.

Re:Android sucks

If you buy a cheap piece of crap you get a cheap piece of crap.
If you get a decent device running android its way better than the 5 years behind IOS devices

private Galaxy Apps API

[iTrawl]

Leave it to Samsung to write code that allows apps to install without asking you to confirm permissions.

Full permissions

including apps with full permissions granted

No doubt that 90% or more of those have no real need for those full permissions. Thanks Google, for allowing, even encouraging such behaviour.

Re:So generic installer, lets apps install softwar

[rjr162]

Exactly this and my thoughts.

What this says to me is there's no checks on an application calling files belonging to another within Android.

Granted security apps would need this ability, but by default android should block this and only grant by given permission, and in that case it doesn't seem like the Play Store would have helped as there's other Android apps I've downloaded from the Play Store that do similar things (including with purchasing optional add-ons etc)

Not the only one

Maybe not so much now given someone appears to have lit a fire under Gaben's ass to take security seriously but Steam and many games on it do the same thing. I stopped reporting things like this to Valve because they don't respond nor really give a damn.

The entire Steam installer could be hijacked because not only did they not use SSL for many things, but in places where they did, it wasn't verified. Google really shouldn't be throwing stones anyway when they themselves live in glass homes (no pun intended).

Malware?

After downloading and running that installer on my Redmi 5A (it failed due to my phone not being in the list of supported devices), I rebooted it and got a weird message that the encrypted partition was corrupted (yes, I do use device encryption).

I had to factory-reset it (as the message suggested), but it's probably compromised now.
Dammit.

Re: Malware?

No, you're shitty Chinese phone probably just corrupted the filesystem on its own when the download used up a bunch of space on the partition.

Re:Malware?

So you ran something that wasnt supported, and it didnt work. I'm shocked !

Re: Malware?

Well, Xiaomi is much better than the other garbage.
Also, I love "you're" grammar.

Re: Malware?

P.S. it was not even downloading anything - have you read my comment at all?

Android is open! Android is free!

[AmazingRuss]

Android is broken... but you can fix it yourself with the source code!

Makes me wonder...

[Travelsonic]

How many of these other applications that use similar installers have such vulnerabilities (irrespective of program, or the platform they run on)? This is a trend I'm seeing a lot, "installers" that download the program, rather than just installing them.

Color me obvious

[shanen]

If I ever got a mod point I'd probably give that one a funny, though there's an element of insight, too. Other aspects of the problems are too obvious for comment.

Instead, I'll just ask again for solution approaches. Obviously signed code from reliable sources is one, but I'd prefer to see the Google stop abusing everyone and start using some of the information in our favor. In the Android app case, that would involve sharing the financial information to help the potential victims recognize the probably crooks.