Slashdot Mirror

← Back to Stories (view on slashdot.org)

Epic's First Fortnite Installer Allowed Hackers To Covertly Download and Install Anything on Users' Android Phones, Google Researchers Say (androidcentral.com)

Posted by msmash on from the how-is-the-experiment-going-buddy?-Love-Google. dept.

Epic decided to ditch Google Play Store for its sleeper hit Fortnite. By doing so, while Epic may have saved some money that it would have had to split with Google, it also ran into an issue that it could have avoided had it not parted ways with Google. AndroidCentral reports: Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic's first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user's knowledge. Google's security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.

[...] When you go to download "Fortnite" you don't actually download the whole game, you download the Fortnite Installer first. The Fortnite Installer is a simple app that you download and install, which then subsequently downloads the full Fortnite game directly from Epic. The problem, as Google's security team discovered, was that the Fortnite Installer was very easily exploitable to hijack the request to download Fortnite from Epic and instead download anything when you tap the button to download the game. It's what's known as a "man-in-the-disk" attack.

10 of 39 comments (clear)

  1. That's just Epic's stupid way of doing things by Anonymous Coward · · Score: 2, Insightful

    They have an installer for everything, or a "launcher" which is an repackaged web browser that downloads things for you or lets you access their web store for content.

    Epic could let you just download directly from your browser but then the walled garden Apple wanna-be aspirations would be gone.

  2. not just fortnight. by nimbius · · Score: 4, Informative

    When you go to download "Fortnite" you don't actually download the whole game, you download the Fortnite Installer first.

    so this is actually a common method for a lot of applications in the play store as well. its the lazy app developers "curl|sudo /bin/bash" approach to installation. The difference being many of these other apps paid their play store fe--er, i mean those applications are protected by Google.

    --
    Good people go to bed earlier.
    1. Re: not just fortnight. by Maritz · · Score: 1

      Do you argue against real points, or just this embarrassing straw man shit? I mean, I'm cringing for you, it's that fucking pathetic. Find some shame from somewhere, people might start liking you more.

      --
      I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
  3. it's like a boot disk... by MJhasHIV · · Score: 1

    or something

  4. can I say... by shentino · · Score: 1

    Epic Fail?

  5. private Galaxy Apps API by iTrawl · · Score: 1

    Leave it to Samsung to write code that allows apps to install without asking you to confirm permissions.

    --
    "Everybody's naked underneath" -- The Doctor
  6. Re:So generic installer, lets apps install softwar by rjr162 · · Score: 1

    Exactly this and my thoughts.

    What this says to me is there's no checks on an application calling files belonging to another within Android.

    Granted security apps would need this ability, but by default android should block this and only grant by given permission, and in that case it doesn't seem like the Play Store would have helped as there's other Android apps I've downloaded from the Play Store that do similar things (including with purchasing optional add-ons etc)

  7. Android is open! Android is free! by AmazingRuss · · Score: 1

    Android is broken... but you can fix it yourself with the source code!

  8. Makes me wonder... by Travelsonic · · Score: 1

    How many of these other applications that use similar installers have such vulnerabilities (irrespective of program, or the platform they run on)? This is a trend I'm seeing a lot, "installers" that download the program, rather than just installing them.

    --
    If you believe in privacy, and believe you have "nothing to hide" at the same time, you're a goddammed idiot
  9. Color me obvious by shanen · · Score: 1

    If I ever got a mod point I'd probably give that one a funny, though there's an element of insight, too. Other aspects of the problems are too obvious for comment.

    Instead, I'll just ask again for solution approaches. Obviously signed code from reliable sources is one, but I'd prefer to see the Google stop abusing everyone and start using some of the information in our favor. In the Android app case, that would involve sharing the financial information to help the potential victims recognize the probably crooks.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.