If you’ve followed Fortnite on Android’s development you know that Epic Games decided to bypass the Google Play Store and go straight to their own custom installer.
The installer just downloads the Fortnite APK to external storage, verifies it, and executes.
Turns out, as Google published here, that any application with WRITE_EXTERNAL_STORAGE could swap out the APK right after it’s downloaded and verified causing a different app to be installed.
From here we switch into 98.7% of a press release I received.
Samuel Bakken, senior product marketing manager for OneSpan, commented:
“Google did some simple risk calculus to determine that, because of its popularity, the Fortnite for Android app could impact the security of Android users. Some suggest it’s vengeance for Epic Games having side-stepped the Google Play store for distribution — regardless, it’s sensible security practice on Google’s part.
The Google Play Protect service, which provides some basic mobile security features, will scan a device for installed apps including apps like Fortnite that are downloaded from sources other than the Google Play store to alert users to an app that might put their device at risk. Obviously in this case it’s a good thing Google took a closer look at Fortnite for Android.
Kudos to Epic Games for taking security seriously and releasing a patch so quickly, not that they had much of a choice with all the attention being paid to their distribution experiment.
Using Android External Storage to facilitate installs/updates is what led to this man-in-the-disk vulnerability, which can lead to the installation of malware without any notification to the user. Would regular Google Play store review have caught this vulnerability before the app was published? It’s possible but not certain that the usual automated assessments would have identified it.
This serves as further evidence that for developers/publishers of high-value mobile apps, securing their own code is not enough. They also need runtime protection to safeguard their own apps against malware and/or devices compromised as the result of other vulnerable mobile apps in the Android ecosystem that put their apps, their users, and their businesses at risk.”
End of press release.
So yeah, Epic Games had a potential Epic Fail on their hands. Don’t trust game developers to deliver any sort of reasonable security. That said, it’s at least patched at the moment.