Fortnite on Android installer leaves users vulnerable to hackers
At the time, Epic outlined how it was skirting the Google Play Store so it could avoid, what it saw as, an unfair 30% cut of in-game purchases syphoned off by Google as a fee for using its app store. Turns out, that wasn’t the smartest move as Google reveals that Epic’s Fortnite installer for android left users incredibly vulnerable to hackers.
Disclosed on Google’s Issue Tracker site for Android developers, it reveals that Epic’s initial Fortnite installer for Android allowed ANY app on your phone to download and install ANYTHING it liked. What’s more, it let them do it in the background, meaning that an app didn’t need to flag to users that it was downloading content to a device in the background over a user’s data. It also opened it up to nefarious means, allowing fake apps to act as shells for hackers to enter devices or install malware onto a user’s phone.
Google did get in contact with Epic over the issue, allowing them to update the Fortnite installer on Android before it went public over the vulnerability. However, it does show that the 30% fee Epic tried to avoid clearly isn’t just there to hit developers, it’s designed to ensure apps are truly secure before being downloaded.
Fortnite on Android hack: Just what is the vulnerability?
The Fortnite on Android vulnerability occurred because, when you download Fortnite from Epic’s website on Android, you’re actually just downloading an installer, rather than the full game. The Fortnite installer then does the heavy lifting, downloading the game in its entirety directly from Epic’s servers.
The problem with this, as Google’s security team discovered, is that Epic’s Fortnite installer was very easy to exploit. A user could hijack the request from the Fortnite installer to Epic’s servers and instead download anything when you tap the “download” button in the app.
You may think this isn’t much of an issue, after all, who’s going to be sitting around to jump on a lead like that? However, all you have to have is one unsavoury app on your phone that’s just waiting for an exploit and you’re vulnerable. Given the popularity of Fortnite, and its highly anticipated release on Android, it’s more than likely many of these apps do exist already and could be lying in wait on a device.
What makes matters worse is that, once you’ve given the Fortnite installer a chance to download an app in the background, it never needs to ask you to do so again. This means that, if an app exploits such a vulnerability, you’ll never be flagged again when it has to download something in the background. Because the Fortnite installer is also a dumb app, it has no knowledge that it’s not being connected to Epic’s servers to download Fortnite, it just knows it’s being used to download something and doesn’t flag any issues.
Google even posted a downloadable video showcasing just how easy it is for a user to think they’re downloading Fortnite when, in actuality, they’re downloading a malicious app to their phone. The video can be downloaded in .mp4 format here as, unfortunately, it’s not been uploaded as a video online.
Fortnite on Android hack: How to make sure your phone is safe
Those now concerned about downloading Fortnite on Android needn’t be. Epic has stated that it’s now fixed the exploit and it took less than 48 hours to do so from being told by Google of the issue.
Those who currently use the original installer simply need to update it to its latest version – 2.1.0 or newer. You can check to see if you’re running this by launching the installer and heading to Settings where it’ll be listed. If you’ve somehow ended up installing an earlier version of the Fortnite installer, you won’t be able to download Fortnite until you update to version 2.1.0.
If you’re still worried about the vulnerability and if you were affected, you can uninstall Fortnite and its installer and reinstall them both. You should also run a scan with Google Play Protect to identify if any malware has been installed on your phone. You can do this by heading to the “My apps & games” section of the Google Play Store and tapping the “Play Protect” icon at the very top of your list of apps.