Fortnite for Android didn’t come to the Play Store. It was first available on Samsung Galaxy Apps and non-Samsung users could get it from Epic‘s website later on. If you downloaded the installer from the Galaxy app store, you could’ve been exploited by a “Man-in-the disk” attack. This attack allows a hacker to install a malicious app on your phone.
The initial risk
Epic Games didn’t want to bring Fortnite to the Play Store because it didn’t want to give a 30% cut to Google on in-app purchases. It is a huge security risk that faced a lot of backlash and has certainly proved to be one. Google certainly wasn’t amused by the decision. It prompted users that Fortnite wasn’t on the Play Store when they searched for it.
The process
When you install an APK, you have to enable installation from unknown sources. After that, you’re still prompted whether you want to install the app and any sensitive permissions that it requests are listed. To install an app without asking for permission, system-level apps must have a permission called INSTALL_PACKAGES. Galaxy Apps and the Play Store have this permission.
The Fortnite Installer downloads the Fortnite APK to the external storage and then installs it. By using a private API in Galaxy Apps (which has the INSTALL_PACKAGES permission), the installer bypasses the need to prompt the user to install the Fortnite APK. However, since the Fortnite APK is on the external storage, any other malicious app could replace the downloaded Fortnite package with its own malicious package.
The Fortnite Installer would then end up installing the malicious app. There’d be no user intervention or notification and all permissions would be granted if it was Android 5.1 or lower. If it was higher, then it’d still have to ask for runtime permissions.
Non-Samsung devices aren’t safe, however. The malicious app won’t be installed silently in the background: you’d have to enable installation from unknown sources. After that, the responsibility falls on the user. If any user sees the Fortnite name and icon, he’d install it and the malicious app will end up on his phone too.
The fix
Epic Games did respond quickly. They simply changed the installation location from the external storage to the installer’s internal storage directory—which is inaccessible to other apps.
Source: Google Issue Tracker
Via: XDA Developers
