First Version Of Fortnite Installer Had Security Issues

Advertisement
Advertisement

Epic Games distributes its popular Fortnite Battle Royale game in mobile form via its own installer, and it has come to light that the initial version of this installer had no real security checks in place as to what it was installing, so a savvy app or hack with the right permissions could hijack that process to install whatever it wanted. It boils down to the fact that permissions are a bit different between installing and moving files on the internal and external storage of a device. The bug was fixed in an update to the installer a little while ago. If you have installed the game, even if you used Galaxy Apps, you may have been the victim of a drive-by download. Update the installer if you haven't already, and if you installed the game before the installer updated, consider a factory reset of your device.

Fortnite's first installer was made to fetch files from the external storage, and in that domain, it would have been all too easy for any app with the same permission to put a decoy APK file where the Fortnite installer looks for the Fortnite game APK. The Fortnite installer version distributed through Samsung's Galaxy Apps store adds in a file name check, but that's extremely easy to spoof. Essentially, because external storage permissions allow apps to write anything they want to any part of external storage, a malicious app could easily monitor a device's processes using the permissions it was granted at install, then figure out when the Fortnite installer is running and inject its own APK file instead of the game. Epic fixed the issue by disabling the installer's ability to install the game onto external storage, a move that may irk users whose devices have limited internal space supplemented by a larger MicroSD card.

This is not the first time that Fortnite has been involved in controversy in the mobile gaming world by any stretch. The game skipped the Play Store altogether in order to avoid handing over 30% of in-game profits to Google, a move that actually made this exploit possible. The Google Play Store has strict security requirements that make it harder for malicious apps to get the resources and privileges they want, even if some slip through from time to time.

Advertisement