Side-loading apps on Android which bypasses the safety net that is the Google Play store can be dangerous as Epic Games is now learning.
As many of you might be aware, getting Fortnite on Android requires you downloading a third-party installer from Epic Games’ website. Because the files are not coming from the Google Play Store, users have to disable some security features which has the potential to leave users exposed to security risks.
As it turns out, there were risks and they were housed in Epic Games’ own installer. To download Fortnite you first need the Fortnite “helper” which downloads the game files to your phone’s storage.
This installation makes use of the WRITE_EXTERNAL_STORAGE permission. Why is this an issue? Google’s security team explains.
“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK,” explained Google.
Essentially, during installation another app could substitute the files you’re meant to be downloading with malware. This is called a man in the disk attack and would require users download other questionable apps but we already know some Fortnite players have no problem doing that.
The problem gets worse however, as Forbes reports that during Fortnite’s brief exclusivity period on Samsung devices, the Galaxy Apps installer would install any file marked com.epicgames.fortnite.
“This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure,” said Google.
Epic Games has updated its installer so that APK substitution cannot take place.
While the threat seems to have been quelled we have to wonder whether foregoing the Play Store and opening up Fortnite players to malware risks was really worth not having to pay Google Play 30 percent of in-app purchases. We don’t think it was.[Source – Google Issue Tracker]