It was really only a matter of time. Epic Games was, after all, tempting fate, not to mention hackers and criminals in its righteous zeal to open up the Android (but not iOS) app ecosystem. A bug in the Fortnite Installer for Android apparently left devices vulnerable to “man-in-the-disk” attacks for weeks, or at least until they update to the latest version of the installer. And while both sides are thankful for the other’s swift action, Epic CEO Tim Sweeney didn’t miss the opportunity to call out Google for not breaking its own vulnerability disclosure policies.
To be clear, the wayward app in question isn’t Fortnite for Android itself but the Fortnite Installer for Android. This utility is necessary to download the game from Epic’s servers and has to be installed separately. It is also necessary to remain installed in order to update Fortnite itself, as some early testers have discovered.
Unfortunately, the Installer app has a bug that enables what is called a man-in-the-disk attack. A cousin of the popular man-in-the-middle (MitM) attack, this basically means that some sleeper malware installed on the devices can monitor the Fortnite Installer when it’s about to download Fortnite, hijack the connection, and force it to download something else, usually the actual malware payload. The Fortnite Installer will then install that payload, which can then be granted full Android permissions. Given how the unknown sources system works in this particular case, neither the user nor the Fortnite Installer itself will ever know.
There is some good news, of course. First is that this MitD requires that the “sleeper” malware be installed on the device already. Given the popularity of Fortnite, however, it’s now likely that hackers will be waiting for such opportunities and will use any means necessary to dupe users into downloading seemingly innocuous apps outside of Google Play Store. The second and more important good news is that Google reported the vulnerability to Epic before making it public and Epic Games was quickly able to fix it and roll out an update (reportedly).
You’d think it all ends there, but Epic Games CEO Tim Sweeney, while thankful for Google’s bug report, lost no time in chiding Google for disclosing the vulnerability within 7 days, denying Epic’s request to withhold information until a longer 90-day period. Here’s Sweeney’s statement to Android Central:
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336.
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
While some, like Sweeney, might accuse Google of sour graping over Epic’s snub of its Play Store, it was simply following its own policies. Given the impact of the vulnerability, Google labeled it as a 0day (zero day) exploit and thus had a 7-day timeframe instead of the usual 90 days. There is a certain sense of irony that Epic would demand special treatment in this matter. Good thing, then, that Fortnite isn’t yet that widely available on Android, at least not officially.