Google security researchers have revealed this week that the immensely popular Fortnite Android app is vulnerable to so-called man-in-the-disk (MitD) attacks.
This vulnerability allows low-privileged malicious apps already installed on a users' phone to hijack the Fortnite app's installation process and install other malicious apps that have a higher permissions level.
Epic Games, the Fortnite game developer, has released version 2.1.0 that patches this attack vector.
The concept of man-in-the-disk attacks has been recently detailed in more depth by security researchers from Israel-based cyber-security firm Check Point.
In a simplified explanation, MitD attacks are possible when an Android app stores data on External Storage mediums, outside its highly-secured Internal Storage space.
An attacker can watch a specific app's External Storage space and tamper with the data stored in this storage space because this space is shared by all apps.
The Fortnite app is vulnerable to this attack because the app does not contain the actual game, but is merely an installer. Once users install the app, this installer uses the device's External Storage space to download and install the actual game.
"Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK," a Google researcher wrote in a bug report recently made public.
"If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure," the researcher added, while also sharing a demo video.
But the bug disclosure process came with a side dish of controversy. Epic Games CEO Tim Sweeney accused Google of pulling a PR stunt.
"We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points," Sweeney said on Twitter, referring to one of his engineers' request to Google to hold off from publishing for 90 days so Fortnite users could update their apps.
We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
Google refused Epic Games' request and made the bug report public this week, a week after Epic Games released its patch, making many people believe this was payback after Epic Games pulled the Android app from the Play Store in order for the game developer to keep 100% of the games' profits.
The move was criticized by many security experts, who warned about possible security flaws that might go under the radar because the app wasn't scanned by Google's Bouncer service before reaching users' devices.
But while a reason was not left in the original bug report, in a subsequent tweet, Sweeney revealed that Google engineers provided an explanation for their decision in private.
"Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining," Sweeney said.
Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
This week, Epic Games was also in the headlines for another security-related issue, but for a good reason. In a clever PR move, Epic Games decided to provide all players who turned on two-factor authentication (2FA) for their accounts with a "free dance" (in-game perk).