Epic Games Response is Exactly Why Fortnite Should Have Been on The Google Play Store

It has been rumbling for a while, but Epic Games’ decision to bypass the Google Play Store and distribute the Fortnite game as a download from its website is perhaps not as good an idea as initially thought. Google has revealed the exact details of the security flaw, as well as the fact that game developer Epic Games wanted Google to keep quiet about it for a while.

Google did detail the exact flaw in the Fortnite installation process for Android and showed how the very first installation file shared by Epic Games for the Fortnite game installation on Android phones (these files have the .apk extension), allowed hackers to basically push any malicious app to the devices. The Android device user would certainly not know about any malicious background activities or apps running under the disguise of the Fortnite installer.

Google details the flaw in the Issue Tracker published by the company—“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK. On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed. If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.”