Flaw in Fortnite Android App Lets Hackers Install Malware

Security researchers from Google have publicly disclosed an extremely serious security flaw in the first Fortnite installer for Android that could allow other apps installed on the targeted devices to manipulate installation process and load malware, instead of the Fortnite APK.

Earlier this month, Epic Games announced not to make its insanely popular game ‘Fortnite for Android mobile hacking‘ available through the Google Play Store, but via its own app.

Many researchers warned the company that this approach could potentially put Android users at a greater risk, as downloading APKs outside of the Play Store is not recommended and requires users to disable some security features on Android devices hacking  as well

In a proof-of-concept video published by Google, researchers demonstrated that their attack takes advantage of a newly introduced “man-in-the-disk” (MitD) vector (detailed in our previous article).

In a nutshell, man-in-the-disk attacks allow malicious apps to manipulate the data of other apps held in the unprotected external storage before they read it, resulting in the installation of undesired apps instead of the legitimate update.

For those unaware, to install Fortnite on your Android phone, you first need to install a “helper” app (installer) that downloads Fortnite to your phone’s storage and installs it on your phone.

Google developers discovered that any app on your phone with the WRITE_EXTERNAL_STORAGE permission could intercept the installation and replace installation file with another malicious APK, including one with full permissions granted like access to your SMS, call history, GPS, or even camera—all without your knowledge.

Hacker Discloses Unpatched Windows Zero-Day Vulnerability

A security researcher has publicly disclosed the details of a previously unknown zero-day vulnerability in the Microsoft’s Windows operating system that could help a local user or malicious program obtain system privileges on the targeted machine.

And guess what? The zero-day flaw has been confirmed working on a “fully-patched 64-bit Windows 10 system.”

The vulnerability is a privilege escalation issue which resides in the Windows’ task scheduler program and occured due to errors in the handling of Advanced Local Procedure Call (ALPC) systems

Advanced local procedure call (ALPC) is an internal mechanism, available only to Windows operating system components, that facilitates high-speed and secure data transfer between one or more processes in the user mode.

The revelation of the Windows zero-day came earlier today from a Twitter user with online alias SandboxEscaper, who also posted a link to a Github page hosting a proof-of-concept (PoC) exploit for the privilege escalation vulnerability in Windows.

Since Advanced Local Procedure Call (ALPC) interface is a local system, the impact of the vulnerability is limited with a CVSS score of 6.4 to 6.8, but the PoC exploit released by the researcher could potentially help malware authors to target Windows users.

SandboxEscaper did not notify Microsoft of the zero-day vulnerability, leaving all Windows users vulnerable to the hackers until a security patch is release by the tech giant to address the issue.

Microsoft is likely to patch the vulnerability in its next month’s security Patch Tuesday, which is scheduled for September 11.

The CERT/CC notes it is currently unaware of any practical solution to this zero-day bug.

Air Canada s Data Breach — 60,000 Mobile App Users in mess

Air Canada has confirmed  data breach that may have affected about 20,000 customers of its 1.7 million mobile app users.

The company said it had “detected unusual log-in behavior” on its mobile app between August 22 and 24, during which the personal information for some of its customers “may potentially have been improperly accessed.”


Reset Your Password

The company estimates about 1% of its 1.7 million people—or about 20,000 users in total—who use its mobile app may have been affected by the security breach.

there is lot of hackers to hack mobile so be careful