Security researchers from Google have publicly disclosed an extremely serious security flaw in the first Fortnite installer for Android that could allow other apps installed on the targeted devices to manipulate installation process and load malware, instead of the Fortnite APK.
Earlier this month, Epic Games announced not to make its insanely popular game ‘Fortnite for Android mobile hacking‘ available through the Google Play Store, but via its own app.
Many researchers warned the company that this approach could potentially put Android users at a greater risk, as downloading APKs outside of the Play Store is not recommended and requires users to disable some security features on Android devices hacking as well
In a proof-of-concept video published by Google, researchers demonstrated that their attack takes advantage of a newly introduced “man-in-the-disk” (MitD) vector (detailed in our previous article).
In a nutshell, man-in-the-disk attacks allow malicious apps to manipulate the data of other apps held in the unprotected external storage before they read it, resulting in the installation of undesired apps instead of the legitimate update.
For those unaware, to install Fortnite on your Android phone, you first need to install a “helper” app (installer) that downloads Fortnite to your phone’s storage and installs it on your phone.
Google developers discovered that any app on your phone with the WRITE_EXTERNAL_STORAGE permission could intercept the installation and replace installation file with another malicious APK, including one with full permissions granted like access to your SMS, call history, GPS, or even camera—all without your knowledge.