Google discloses man-in-the-disk attack flaw in Fortnite Android app

Google publicly disclosed a vulnerability in Epic Games’ Fortnite installer for Android, putting users at risk, as some warned would happen.

Google opted to go public about the flaw a week after Epic patched and released a new version even though Epic asked Google to wait 90 days before disclosure in order to give more users time to update. Now there’s debate as to whether or not the rapid disclosure was a form of payback after Epic refused to release the Android app in the Google Play Store.

Epic Games previously made the Android version of its wildly popular game Fortnite available only at its site. Installing Android apps from sources other than Google Play means Android users need to disable default security settings in order to download and install the third-party app. Security experts warned that users would be at risk, since not everyone would turn the security settings back on and go through the process of turning security off and on with each update to the app.

After the Android version of the game was released, Google wasted no time in performing a security audit. Sure enough, the Google researcher found that the Fortnite Android app was vulnerable to man-in-the-disk attacks. The installer did not include the actual game, which would later be installed using an Android’s external store space. The vulnerability could allow other apps installed on the Android to hijack the Fortnite Installer and silently install other malicious apps with full permissions in the background.

A week after the Fortnite Android installer was released by Epic, Google engineer Edward warned that he found a serious security flaw in the Fortnite installer.

“The Fortnite APK (com.epicgames.fortnite) is downloaded by the Fortnite Installer (com.epicgames.portal) to external storage,” he explained. “Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. … The Fortnite Installer will proceed to install the substituted (fake) APK.”

Any malicious app installed on the Android could hijack the download and instead download and install any app with full permissions – a user would normally need to agree to granting those permissions. Edward included a proof-of-concept screen recording and the issue tracker included the note: “This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report – including any comments and attachments – will become visible to the public.”

Epic didn’t twiddle its thumbs but got right on fixing the issue. The vulnerability was reported on August 15, and Epic had a patch ready on the August 16. However, Epic asked for the “full 90 days before disclosing this issue so our users have time to patch their devices.”

Did Google ignore Epic’s 90-day disclosure request as payback?

Google waited a week before the issue was publicly disclosed. Was it payback for Epic Games cutting Google from taking 30 percent of the game’s profits by refusing to list it in the Play Store? Some people tend to believe so. In turn, Google pointed out that the disclosure was released after the fix was released as was stated in the issue tracker. Whichever way you look at it, security experts did warn that users would be at risk since the Fortnite Android app was not available via Google Play.

Epic Games CEO Tim Sweeney released a full statement to Android Central:

Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.

An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336

Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.

Sweeney also took to Twitter to accuse Google of creating unnecessary risk for Android Fortnite users in order to “score cheap PR points.”

We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.

— Tim Sweeney (@TimSweeneyEpic) August 25, 2018

Sweeny added that Google privately admitted to “monitoring Fortnite installations on all Android devices.”

Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.

— Tim Sweeney (@TimSweeneyEpic) August 25, 2018

That’s not at all creepy, Google monitoring an app that did not come from Google Play.