Google Security Researchers discovered a Man-in-the-Disk (MitD) which allows other applications to Hijack Fortnite app’s installation process and install other malicious applications with root level permissions. The Fortnite Game Developer Epic Games have released patches for the vulnerability.
Please Refer to the Man In The Disk Article for more information on how the attack works
What is a MitD Attack?
In layman’s terms, the MitD attacks are possible when Android apps store data in External Storage mediums rather than the provided highly secure internal storage space. The attacker can potentially tamper with the application data as it is shared by all the applications. The Fortnite app is vulnerable to this attack since the actual app in the play store does not contain the game but just the installer. Once the app is installed by the installer using the External Storage, users can play the game.
“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is finished and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will continue to install the substituted (fake) APK,” a Google researcher wrote in a bug report recently made public.
If the APK version of Android is below 22 it has permissions already granted during the installation, therefore enabling the app on the device to hijack the Fortnite installer and allow for fake APKs to be installed instead of the game APK file.
The War between Google and Epic Games…
Epic Games requested Google to postpone their bug disclosure until the latest version of the application is widely installed on user’s phones, however it would seem Google has pulled a PR stunt by publishing the bug details early.
We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.
— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
Google have refused the Epic Games request and made the bug report public this week . Some people may think this as Google’s payback since Epic Games removed the Android app from the Play Store in order for the game developer to avoid having to share profits with Google.
Take your time to comment on this article