An epic vulnerability was discovered in Fortnite android installer. The vulnerability exploits the WRITE_EXTERNAL_STORAGE permission. It allows any app to substitute the APK immediately after the download is completed and the fingerprint is verified, revealed Google.
According to an issue tracker post by a Googler, the flaw allowed cyber-criminals to ‘easily’ carry out an attack using a FileObserver, following which, the Fortnite android installer will proceed to install the substituted (fake) APK.
Google apparently notified Epic about its discovery on August 15th. Following which, Epic had 90-days to patch up the flaws, in line with standard industry practices. As it turns out, the vulnerability was patched up within just a couple of days. Furthermore, the company rep announced the deployment of the patch on the 17th.
According to Epic InfoSec, the patch will change the default APK storage directory from external to internal storage. Thereby helping prevent Man-in-the-Disk (MITD) attacks during the install flow.
Tussle Between Google and Epic Games
What’s interesting is that Epic still requested Google to not disclose the flaw for the full 90-day period. Hence, its users would have the time to patch their installers. However, the proposed time-frame by Epic failed to get Google on board. Just seven days after patch deployment, Google opened the thread to the public. This was in line with the company’s standard disclosure practices.
Epic Games CEO Tim Sweeney expressed his dissatisfaction at Google’s early disclosure. He called it an ‘irresponsible’ decision that can endanger innocent users. He criticised Google for disclosing the flaw so quickly while some installation instances were still vulnerable.
There is utter dissatisfaction between Google and Epic Games. This comes after Epic decided to launch the game on its own platform instead of launching in on Google Play Store. It was largely a business decision for the game’s publishers. Epic didn’t want to share the revenue from the game with Google, which takes 30 percent of all purchases made through the Play Store. Apparently, the decision wasn’t very amusing for the tech giant. Google apparently stands to lose $50 million this year alone because of the situation.