Pierluigi Paganini August 27, 2018

A Google security researcher disclosed a vulnerability in the newcome Fortnite Android App that exposes it to Man-in-the-Disk attacks.

After a long wait, Fortnite Android app has finally arrived but it hides an ugly surprise, it is vulnerable to Man-in-the-Disk (MitD) attacks that can allow a third-party application to crash it or run malicious code.

The flaw was discovered by Google security researchers, it could be exploited by low-privileged malicious apps already installed on a users’ phone to hijack the Fortnite Android app.

Threat actor can carry out MitD attacks when an Android app stores data outside its highly-secured Internal Storage space, for example on an External Storage, that is shared by all apps.

The attacker could tamper with the data stored in the external storage space.

The attacker could hijack the installation process and install other malicious apps with higher permissions.

The Android Fortnite app is merely an installer, once users install the app, this installer leverages the device’s External Storage space to download and install the actual game.

“The Fortnite APK (com.epicgames.fortnite) is downloaded by the Fortnite Installer (com.epicgames.portal) to external storage:” reads a bug report published by a Google researcher.

“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK,” 

“If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure,” continues the researcher.

Below a video PoC of the attack shared by Google researcher and published by BleepingComputer:

Epic Games is disappointed by the way Google has disclosed the bug, the CEO Tim Sweeney explained to have asked Google wait more time to allow the new update to be installed by a large part of its players, but the company immediately published the news due to the risks for Android users.

“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” Sweeney said on Twitter.

We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.

— Tim Sweeney (@TimSweeneyEpic) August 25, 2018

Google, that is monitoring the installations of the game, privately explained to Epic Games CEO that there weren’t many unpatched installs remaining.

Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.

— Tim Sweeney (@TimSweeneyEpic) August 25, 2018

But while a reason was not left in the original bug report, in a subsequent tweet, Sweeney revealed that Google engineers provided an explanation for their decision in private.