News & Comment: Fortnite Installer downloads are vulnerable to hijacking

NEWS:

Google published that hackers could hijack Fortnite’s installation software to load malware.

READ NOTICE

COMMENT:
Samuel Bakken, senior product marketing manager for OneSpan, commented:

“Google did some simple risk calculus to determine that, because of its popularity, the Fortnite for Android app could impact the security of Android users. Some suggest it’s vengeance for Epic Games having side-stepped the Google Play store for distribution — regardless, it’s sensible security practice on Google’s part.

The Google Play Protect service, which provides some basic mobile security features, will scan a device for installed apps including apps like Fortnite that are downloaded from sources other than the Google Play store to alert users to an app that might put their device at risk. Obviously in this case it’s a good thing Google took a closer look at Fortnite for Android.

Kudos to Epic Games for taking security seriously and releasing a patch so quickly, not that they had much of a choice with all the attention being paid to their distribution experiment.

Using Android External Storage to facilitate installs/updates is what led to this man-in-the-disk vulnerability, which can lead to the installation of malware without any notification to the user. Would regular Google Play store review have caught this vulnerability before the app was published? It’s possible but not certain that the usual automated assessments would have identified it.

 

This serves as further evidence that for developers/publishers of high-value mobile apps, securing their own code is not enough. They also need runtime protection to safeguard their own apps against malware and/or devices compromised as the result of other vulnerable mobile apps in the Android ecosystem that put their apps, their users, and their businesses at risk.”