Google spots security vulnerability in Epic-hosted Fortnite Android installer

Fortnite’s recent Android release made headlines for skipping the Google Play Store and instead launching through an installer downloaded from Epic’s website, but it now looks like a significant security issue was present in the early days of that installer’s release.

As spotted by Android Central, Google flagged a significant security vulnerability in the Fortnite Android Installer released earlier this month, though the company notably first disclosed the issue to Epic and ensured the vulnerability was fixed before publicly detailing the flaw.

The issue itself came from the first version of the Fortnite Installer that would-be players must first download from Epic Games website to get the Fortnite app itself to their devices.

That APK came with a specific permission that opened it up to being easily hijacked by other applications seeking to download files to an Android device without the owner’s knowledge or permission. As Android Central explains, this specific vulnerability opens Android users up to a “man-in-the-disk” attack where an app already installed on their phone keeps an eye on requests from other apps on the device, and uses that flaw in apps like Epic’s Fortnite installer to smuggle its own malicious files onto the device. 

Google’s full breakdown of the issue can be found on the Issue Tracker page for the vulnerability itself, along with the exchange between Google and Epic about the flaw itself.  In that exchange, Epic notably requested that Google refrain from publishing the vulnerability publicly for 90 days to give its users time to patch their devices. However, while Google’s policies allow for 90 days for the developer to respond and pursue a fix before publicly revealing the error, a Google rep noted that it is standard procedure for the company to disclose the issue 7 days after it had been patched out of the offending app and posted the notice despite Epic’s request. 

Epic CEO Tim Sweeney criticized that very policy in a statement given to Android Central, saying that, while Epic appreciated the security assist from Google, it was “irresponsible” of the company to disclose the flaw so soon and accused Google of using the vulnerability as fuel in a PR war.

“Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered. However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable,” said Sweeney.” An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused.”

“Google's security analysis efforts are appreciated and benefit the Android platform,” he continues. “However a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play.”