Epic Games blasts Google for disclosing Fortnite Android exploit early


TechSpot Editor
Staff member

While it’s certainly not 100 percent safe, the Google Play Store does offer some protections, and sideloading the Fortnite installer means allowing installations from unknown sources—something that’s not recommended, especially as some users may forget to disable the permissions afterward.

It was security researchers from Google who publicly disclosed the problem on its Issue Tracker site—whether Fortnite's absence from the Play store motivated Google to investigate the app thoroughly is unknown.

The vulnerability in the Android Fortnite Installer would allow malicious apps already present on a user’s phone to hijack the installation procedure and download other malicious applications with extra permissions—a Man-in-the-Disk (MitD) attack.

MitD attacks are made possible when Android apps store data on External Storage space, which is shared by all apps, rather than Internal Storage space, aka System Memory. And as the Fortnite installer only checks the name of the APK, any file called “com.epicgames.fortnite” would be installed.

"Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK," wrote Google engineer Edward.

Thankfully, Epic released a patch that addressed the Fortnite installer vulnerability within 48 hours of its discovery (August 15). The company requested that Google not disclose the details until after 90 days, giving users plenty of time to update their apps and to prevent hackers exploiting the bug.

However, Google’s guidelines state that while the official period for public disclosure is 90 days, it will disclose a vulnerability once a patch has been made widely available. Therefore, the company ignored Epic’s request and shared the details once the patched version of the installer had been available for seven days.

Unsurprisingly, Epic boss Tim Sweeney wasn’t happy about the whole situation.

Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.

An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336

Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play.

Sweeney revealed in a tweet that Google’s decision to disclose early could have been because it knew there weren’t many unpatched installs remaining.

In other security-related Fortnite news, the company is rewarding players with a free emote if they enable two-factor authentication.

Permalink to story.



TS Evangelist
I love Sweeny's slick little jab at Google spying on apps that don't even come from the Play store. Its long past time that we got off our collective behinds and demanded our privacy and security back. Or maybe Americans are as stupid and lazy as the rest of the world believes. Perhaps the majority of us are so addicted to Facebook and other garbage that we're willing to keeping paying these companies to violate our civil rights. Remember, you paid for the phone and its plan with money. You pay for Google and their kin with your freedom and security.


TS Maniac
I really don’t like Google as a company. This is just another **** move they have made.

Oh and whilst in here can I just emphasise how much Firefox has overtaken Google’s chrome browser in both speed and ease of use. Make the switch guys.


TS Rookie
I would say that Google has some responsibility in monitoring (spying) on Android systems and vulnerabilities... I can say that is a good thing. However, is it really a "punishment" for going around google play, especially when they could have crushed the Android installations in the first few days if they had chose to, rather they did wait until most devices had been patched.

Instead, let's talk about the why and hows of people learning of/getting access to Fortnite "hacks" , and other unfair playing "cheats" that seem to be allowed... until the free users learn of them (or create them themselves).


TS Evangelist
Lol everybody blames Google for finding bad/lazy scripting by other companies. How dare them point out our flaws!


TS Enthusiast
Under Google's guidelines, they state they can publish their findings after it's been successfully patched. Being that Fortnite isn't in the Play Store, Google has zero obligation to grant them a Play Store 90-day grace period.