Google has revealed that it discovered a serious vulnerability in Epic’s first Fortnight installer for Android, potentially allowing any app with the WRITE_EXTERNAL_STORAGE permission to substitute the APK immediately after the download is completed and the fingerprint is verified.
According to an issutracker post by a Googler, the flaw allowed cyber-criminals to ‘easily’ carry out an attack using a FileObserver, following which, the Fortnite Installer will proceed to install the substituted (fake) APK.
As can be seen from the thread, Google apparently notified Epic about its discovery on August 15th, following which, Epic had 90-days to patch up the flaws, in line with standard industry practices. As it turns out, the vulnerability was patched up within just a couple of days, with the company rep announcing the deployment of the patch on the 17th.
According to Epic InfoSec, the patch will change the default APK storage directory from external to internal storage, thereby helping prevent Man-in-the-Disk (MITD) attacks during the install flow.
What’s interesting is that Epic still requested Google to not disclose the flaw for the full 90-day period, so that its users have time to patch their installers. However, Google didn’t get on board with the time-frame, and ended up opening the thread to the public just seven days after the patch was deployed, in line with the company’s standard disclosure practices.
Epic Games CEO Tim Sweeney expressed his dissatisfaction at Google’s early disclosure, calling it an ‘irresponsible’ decision that can endanger innocent users. In a statement to Android Central, he said, “it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable”.
“Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play”
To understand why Epic and Google are so utterly dissatisfied with each other right now, one needs to know the recent backstory surrounding the launch of Fortnite on Android. Even as the game finally launched on Android long after making its debut on iOS, Epic and Tencent decided to distribute the game through their own platform, rather than via the Google Play Store.
It was largely a business decision for the game’s publishers, who didn’t want to share the revenue from the game with Google, which takes 30 percent of all purchases made through the Play Store. Goes without saying, the tech giant wasn’t amused by the decision, given that it apparently stands to lose $50 million this year alone because of the situation.
