A storm of security problems comes closer to the Android version of Fortnite. And it will probably not pass quickly.
Developer Epic Games has just solved a security flaw with the Fortnite installer for Android devices, but researchers expect a lot of problems for the online game because it is becoming increasingly popular on Android.
That's because Fortnite is not available through Google's Play Store. Instead, Epic chose an unorthodox – and more dangerous – route for fans of the game. Instead of downloading it from the official Google app store, players have to download the game and sideload the app on their Android devices.
That Epic is allowed to make these underscores why Google & # 39; s Android is often beaten because of its safety chops. While Apple locks its iPhone so you can only download apps from the App Store, you can download programs in different ways using Android. But that freedom is at risk: apps outside the Play Store are nine times more malware according to Google.
With the influence of Fortnite on more than 125 million players, it teaches people to download apps outside the official store to expose millions of people to a risky practice, researchers warn. Even if Epic means no harm, other apps may have more harmful plans.
"The problem with Fortnite is that it is so attractive, and people are starting to think that sideloading is completely normal," says Craig Williams, a security researcher and contact person for the CACOS Talos Intelligence Group. "They have made themselves an attractive target."
Why does Epic go around Google? It does not want to give up the 30% drop in sales that all app makers have to share with the search giant. And given how incredibly popular Fortnite has proven – with players willing to spill over real money for taunts and skins – that means significantly more revenue for the developer.
Fortnites Android fans can ultimately pay the real price.
What was the vulnerability?
It did not take long before a problem arose. Only two days after Fortnite became available on Android, a Google technician discovered a vulnerability that allowed a hacker to replace the app with a fake version of the game – known in cybersecurity circles as a man-in-the-disk attack because it uses openings with external storage like your SD card to install malware.
Google said in a statement that it immediately informed Epic of the vulnerability.
Epic Games repaired the vulnerability with a patch on August 16 and asked Google to keep it under water for 90 days, so players had plenty of time to install the patch before the vulnerability became public.
Instead, Google warned the audience a week later. Epic Games CEO Tim Sweeney criticized Google for reporting the error so quickly, arguing that it was not enough time to roll out the patch for everyone. Sweeney accused Google of trying "score cheap PR points. "
But Scott Helme, an independent security researcher from the United Kingdom, said that the seven-day period was normal.
"You always want to reveal earlier because it informs people that they need a patch now," Helme said. "People are now much more inclined to update now than next week or next month."
Sweeney's reaction – with Google to follow a standard security practice – suggests that Epic may not fully understand the extent of potential cyber security risks.
Epic did not respond to a request for comment.
The debate about publicizing the vulnerability would have been made if Epic had just launched the game in the Play Store.
Google can more easily take the floor on the need for a patch and push push updates through the Play Store. It is a completely different process for sideloaded apps, Helme said.
Sweeney said in a tweet that is the installer only updates when the game is active. That means you can only get the solution when you start playing Fortnite. If you have not touched the game in days or weeks, your installer is still vulnerable, alerting researchers about a risk to your device.
However, do not expect that Epic Fortnite will be coming to the Play Store soon, despite the fact that the security problem flared up, just as many people had warned.
"The kind came back to bite [Epic Games] in the ass, "Helme said.
And it is not only from Epic itself. Within the first day after the developer released Fortnite for Android devices, Helme said that fake Fortnite games make up nearly a third of the malware samples discovered that week.
When Williams saw that the number of fake Fortnite apps spammed the internet, it was mostly adware-inflated versions of the game. Scammers offered the same gaming experience, but quickly put an end to their ads for their victims.
The fake versions were simple and could not do enormous damage, such as stealing your account data or rowing your devices, he noted.
But since Epic Games makes players keep Fortnite aside on Android and the game becomes more popular, it will only get worse.
"What we are seeing now is the low-hanging fruit forms of malware," Williams said. "As time goes by, we will see that more complex samples take root."
Security: keep up to date with the latest infringements, hacks, fixes and all those cyber security problems that keep you awake at night.
Taking extremes: mix insane situations – erupting volcanoes, nuclear meltdowns, 30-foot waves – with everyday technology. This is what happens.