The decision by Epic Games to distribute Fornite outside the Google Play Store has been widely criticized. Since the initial game installation and subsequent updates are handled by the Fornite launcher app, instead of the Play Store (or Galaxy Apps on Samsung devices), Epic has to build its own security infrastructure. In a moment of "I told you so," the first major security flaw with Fortnite for Android has been discovered by none other than Google.
Last week, a Google engineer made a post on the company Issue Tracker, explaining a vulnerability discovered in the Fornite launcher application. When the launcher app downloads the actual game APK, it checks the signature to ensure the file hasn't been tampered with. However, the launcher doesn't check the APK's integrity before the installation process begins - only the package name.
The engineer pointed out that a malicious application with the WRITE_EXTERNAL_STORAGE permission could replace the Fortnite APK immediately after the download process is completed, but before the user actually accepts the installation.
On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed.
If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.
Epic Games originally asked Google to wait 90 days before publishing the exploit, as is standard practice (so malicious apps can't take advantage of it before a fix is rolled out). A fix began rolling out the day after the issue was originally reported. Instead of waiting 90 days, Google made the page public after just a week, "in line with Google's standard disclosure practices."
I'm still not a fan of Epic Games' decision to skip the Play Store, but I can't criticize the company too much in this specific case. An employee from Epic responded to the initial report just seven minutes after it was published, and a fix began rolling out to users the next day. This wouldn't have been a problem if Fortnite was on the Play Store, but the turnaround was remarkably quick.
- Google Issue Tracker
- Android Central