Google researcher found Fortnite Android App vulnerable to Man-in-the-Disk attacks

Pierluigi Paganini August 27, 2018

A Google security researcher disclosed a vulnerability in the newcome Fortnite Android App that exposes it to Man-in-the-Disk attacks.

After a long wait, Fortnite Android app has finally arrived but it hides an ugly surprise, it is vulnerable to Man-in-the-Disk (MitD) attacks that can allow a third-party application to crash it or run malicious code.

The flaw was discovered by Google security researchers, it could be exploited by low-privileged malicious apps already installed on a users’ phone to hijack the Fortnite Android app.

Threat actor can carry out MitD attacks when an Android app stores data outside its highly-secured Internal Storage space, for example on an External Storage, that is shared by all apps.

The attacker could tamper with the data stored in the external storage space.

The attacker could hijack the installation process and install other malicious apps with higher permissions.

Epic Games, the authors of the popular game, have promptly released a new version (ver. 2.1.0) that addresses the issue.
Fortnite Android app

The Android Fortnite app is merely an installer, once users install the app, this installer leverages the device’s External Storage space to download and install the actual game.

“The Fortnite APK (com.epicgames.fortnite) is downloaded by the Fortnite Installer (com.epicgames.portal) to external storage:” reads a bug report published by a Google researcher.

“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK,” 

The Fortnite Android App was made available for specific Samsung device models, its Installer performs the APK install silently via a private Galaxy Apps API. The only check made by the API is that the APK being installed has the package name com.epicgames.fortnite. An attacker can use a fake APK with the same package name to silently install the malicious code.

“If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure,” continues the researcher.

Below a video PoC of the attack shared by Google researcher and published by BleepingComputer:

Epic Games is disappointed by the way Google has disclosed the bug, the CEO Tim Sweeney explained to have asked Google wait more time to allow the new update to be installed by a large part of its players, but the company immediately published the news due to the risks for Android users.

“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” Sweeney said on Twitter.

Is this a Google’s revenge because Epic Games is not distributing the Fortnite Android App?

Google, that is monitoring the installations of the game, privately explained to Epic Games CEO that there weren’t many unpatched installs remaining.

But while a reason was not left in the original bug report, in a subsequent tweet, Sweeney revealed that Google engineers provided an explanation for their decision in private.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Fortnite Android App, MiTD)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment