Of course the Fortnite installer for Android comes with a big security problem – BGR

In the weeks that led to the Fortnite for Android launch, we discovered that Epic Games did not want to offer the game the traditional way to save the 30% discount that Google would get for all in-game transactions. Back then, we told you it was wrong for the company to bypass the Google Play Store with the launch and remind you that sideloading apps are not advisable, even if they come from trusted sources.

Guess what? It turned out that we were right to be concerned about Epic's approach because Google quickly detected a security flaw that allowed your device to install malicious apps without your explicit knowledge. From that moment on, the malware app could spy on everything you would do.

If Android Central reports, the Google security team found the problem shortly after the game was launched, and Epic recovered it about 48 hours later. Google then revealed the vulnerability to the public; something that Epic was not so enthusiastic about.

The Fortnite for Android installation consists of two parts. You download an installer first and then use that app to download the game. However, Google discovered an error in the installer that would allow "man-in-the-disk" attacks. As soon as you pressed that install button, a malware app on your phone would listen in and cut the download to get another app. You would not know it happens as you would think you get the game. The installation program would not realize that it is also downloading something else.

As you may have noticed, you must have already installed a malicious app on your device. That does not mean that the security problem of Epic was not big. Given the popularity of Fortnite, it is no surprise that hackers try to take advantage of Epic's greed.

Suppose your phone started the installation of a malware app, you were not asked to accept the installation because you had already agreed to get apps from "unknown sources" when you started the whole process. On Samsung phones it is even worse, because you get the game from the Galaxy Apps store, a well-known source.

The installed app would then quietly declare and receive all permissions that it wants without your permission. With full rights, a malware app can track everything you do, record all chat and phone calls, and always have access to your location, microphone and camera. A proof-of-concept attack is available on this link.

Epic was not happy that Google had not waited 90 days to reveal the problem. This is what CEO Tim Sweeney said in a statement:

Epic really appreciated Google's attempt to run an in-depth Fortnite security audit after our release on Android and share the results with Epic so that we could quickly publish an update to fix the error.

However, it was irresponsible of Google to make the technical details of the error public so quickly, while many installations were not yet updated and still vulnerable.

An Epic security engineer asked me to request Google to suspend public disclosure during the standard 90 days so that the update could be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336.

Google's security analyzes are appreciated and benefit from the Android platform, but a company as powerful as Google should be more responsible for publicity than this, and not endanger users during its counterpart PR efforts against the distribution of Fortnite by Epic outside of Google Play.

So Google helped Epic repair its blunder, even though the app was not available through the Google Play Store, and is it still Epic the one who is unhappy? Of course, it is perhaps more important for Google to keep Android users safe than to make money with Fortnite.

Google's guidelines also include a different resolution process for 0-day attacks such as those in Fortnite:

When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a "0 day"), we believe that more urgent action-within 7 days-is appropriate. The reason for this special designation is that every day an actively exploited vulnerability is not disclosed and non-patched, more devices or accounts are compromised. Seven days is an aggressive timeline and may be too short for some suppliers to update their products, but it should be enough time to publish advice on possible mitigations, such as temporarily disabling a service, restricting access or contacting the supplier For more information. As a result, after 7 days without a patch or advice, we will support researchers who provide details so that users can take steps to protect themselves.

What you need to do to protect yourself is to make sure that Fortnite installer v2.1.0 is installed on your Android and avoid installing non-Google Play store apps. Well, apart from Fortnite of course. As Google explained, you need an actual malicious app on your phone to hijack your download.

Image source: epic games

Source link

Leave a Reply