Fortnite Mobile installer for Android found to contain a Man-in-the-Disk exploit
Epic Games recently sent out a patch for the Fortnite Mobile installer for Android that fixed an otherwise serious vulnerability discovered by Google. The vulnerability in question is a Man-in-the-Disk (MitD) exploit that would have enabled a pre-installed malicious app to hijack the Fortnite installer and install malware on Samsung Experience devices.
XDA Developers provides an articulate context of what went wrong with the Fortnite installer. Generally, Android APKs acquired outside of the Google Play Store require certain permissions from the user to install. Certain first-party apps such as the Google Play Store and similar OEM stores from Samsung, Huawei, and others already have the INSTALL_PACKAGES permission and also grant the needed runtime permissions. Thus, the installation happens silently and no user intervention is needed beyond pressing the Install button in the Store.
However, if an app is being installed from third-party sources, the Android Package Manager will prompt the user for the required permissions and thus, does not allow a silent install. OEMs can also customize the Android Package Manager to scan for security issues before requesting the user's permission. So what went wrong with the initial version of Fortnite installer?
On Samsung Experience devices such as the Galaxy S8+, Note 9, and the Tab S4, Fortnite is distributed via the Samsung Galaxy Apps store. Google discovered that in these devices, the Fortnite installer used a private API in Galaxy Apps to bypass the Android Package Manager user prompts for a silent install. While this itself is not an issue, the Fortnite installer actually downloads the APK into /sdcard/Android/data/com.epicgames.portal/files/downloads/ instead of an app-specific directory in /data/data. The /sdcard/ directory is considered external storage and can be modified by any app, which has read and write permissions whereas the app-specific directory in /data/data can be accessed only by the app in question.
This means, if a pre-installed malicious app has the required read and write permissions, it can monitor the directory in which the Fortnite APK is being downloaded and replace it with its own modified APK. Compounding the problem is the fact that Samsung Galaxy Apps does not verify the package integrity but just checks whether the name of the APK is com.epicgames.fortnite and proceeds to silently install it.
Shortly after Google discovered this flaw, Epic Games quickly patched the vulnerability in version 2.1.0 of the installer. The fix was rather simple actually and changed the download location of the APK to /data/data instead of /sdcard/Android/. However, much to Epic Games' chagrin, Google disclosed the vulnerability within 7 days of its discovery without heeding to Epic Games' request for the usual 90 day window. Speaking to Android Central, Epic Games' CEO Tim Sweeney said,
Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play."
Non-Samsung phones do not have Galaxy Apps installed so trying to install the Fortnite APK does prompt for the usual permissions. Nevertheless, a malicious app can still masquerade as the actual Fortnite installer and the average Joe or Jane would not even know.
The launch of Fortnite Mobile for Android had its own share of controversies - from the game initially being exclusive to Samsung Galaxy flagship phones to Epic Games' decision to bypass the Google Play Store for distribution. Users of non-Samsung Galaxy flagships who have registered for an invite are gradually being allowed to play the game. Google is said to be missing out more than US$50 million in IAP revenue by virtue of Epic Games circumventing the Play Store. Whether Google's quick disclosure of the vulnerability was a sweet revenge for that or something else is left for anyone's guess.