Connect with us


‘Fortnite’ on Android had a critical security flaw



Fortnite on Android
“Fortnite” launched on
Android smartphones recently, but it skipped Google’s Play

Antonio Villas-Boas/Business

  • “Fortnite” launched on Android recently, starting with
    Samsung smartphones and expanding out to other major flagship
    Android phones.
  • Instead of launching on Google’s Play Store, Epic Games
    opted to skip the storefront and distribute the free game
  • By skipping Google’s storefront, a critical security
    flaw was introduced to the download process.
  • The issue went unnoticed by Epic Games until Google
    pointed it out. It has since been fixed.
  • This example highlights a major security risk that
    comes with mass distribution of software, and why platforms
    like Google Play are important.

When the insanely popular game “Fortnite” finally arrived on
Android earlier this month, it skipped Google’s ubiquitous Play

You couldn’t just navigate to Google’s store and download
“Fortnite.” It wasn’t there.

There was a clear reason to skip the Google Play Store: Google
takes 30% of all sales through its storefront, and “Fortnite”
maker Epic Games wanted to keep 100% of its sales. “The 30% store
tax is a high cost in a world where game developers’ 70% must
cover all the cost of developing, operating, and supporting their
games,” Epic Games founder and CEO Tim Sweeney
told me earlier this month

“Thirty percent is disproportionate to the cost of the services
these stores perform — such as payment processing, download
bandwidth, and customer service,” he said.

And thus, in a brazen move, Epic skipped Google Play with

Instead, you must navigate to a website operated by Epic Games
where you can download what’s called an “installer.” That
installer program from Epic then facilitates the download and
management of “Fortnite.” 

It was apparently in this step of the installation process where
“Fortnite” had a critical security flaw. 

Fortnite (Android)
As seen in the middle
screen, Android issues a warning screen about downloading “APK”
files from the internet — APK files are application files on

Ben Gilbert/Business
Insider/Epic Games

“Any app with the WRITE_EXTERNAL_STORAGE permission can
substitute the APK immediately after the download is completed
and the fingerprint is verified,” a Google
engineer wrote
 in mid-August, as
discovered by Techcrunch
. “This is easily done using a
FileObserver. The Fortnite Installer will proceed to install the
substituted (fake) APK.”

In so many words, the “Fortnite” installation program on Android
had a loophole that allowed malicious actors to gain access to
your phone. Worse, that wasn’t the only problem if you were
downloading the game on a Samsung phone or tablet.

As the Google engineer, identified only as Edward, said:

“On Samsung devices, the Fortnite Installer performs the APK
install silently via a private Galaxy Apps API. This API checks
that the APK being installed has the package name
com.epicgames.fortnite. Consequently the fake APK with a matching
package name can be silently installed.”

In plain terms, Samsung devices were only verifying that the name
of the APK file matched “com.epicgames.fortnite” — if a piece of
malicious software were swapped in with the same name, it would
pass muster and be installed. 

This “Fortnite” security kerfuffle on Android highlights an issue
that critics leveled when Epic first announced plans to skip the
Google Play Store: Downloading installer software outside of
Google Play forces users to accept installation
of all software from “unknown sources.” 

Because the “Fortnite” installer is downloaded from Epic Games’
website, and the game it installs is being downloaded from Epic
Games — outside the Google Play Store — users have to explicitly
open various security permissions that would otherwise remain

Fortnite (Android)Epic

For example: When I downloaded the “Fortnite” installer on a
Google Pixel 2 smartphone, Android prompted me with several
warnings that I wasn’t allowed to download or install software
outside of Google Play without first giving explicit permission.
Opening those security permissions is required to install

It’s this toggle that poses a threat, as it opens up the phone to
malicious third-party software from similarly “unknown sources.”
Coupled with the issues Epic introduced by leaving security holes
in its installer, millions of “Fortnite” players were at risk of
having information stolen and/or their device bricked.

Both issues have since been patched by Epic Games; it’s unclear
if anyone was affected by the security flaws.

Continue Reading
Advertisement Find your dream job