Google researcher found Fortnite Android App vulnerable to Man-in-the-Disk attacks
27.8.18 securityaffairs Android

A Google security researcher disclosed a vulnerability in the newcome Fortnite Android App that exposes it to Man-in-the-Disk attacks.
After a long wait, Fortnite Android app has finally arrived but it hides an ugly surprise, it is vulnerable to Man-in-the-Disk (MitD) attacks that can allow a third-party application to crash it or run malicious code.

The flaw was discovered by Google security researchers, it could be exploited by low-privileged malicious apps already installed on a users’ phone to hijack the Fortnite Android app.

Threat actor can carry out MitD attacks when an Android app stores data outside its highly-secured Internal Storage space, for example on an External Storage, that is shared by all apps.

The attacker could tamper with the data stored in the external storage space.

The attacker could hijack the installation process and install other malicious apps with higher permissions.

Epic Games, the authors of the popular game, have promptly released a new version (ver. 2.1.0) that addresses the issue.
Fortnite Android app
The Android Fortnite app is merely an installer, once users install the app, this installer leverages the device’s External Storage space to download and install the actual game.

“The Fortnite APK (com.epicgames.fortnite) is downloaded by the Fortnite Installer (com.epicgames.portal) to external storage:” reads a bug report published by a Google researcher.

“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK,”

The Fortnite Android App was made available for specific Samsung device models, its Installer performs the APK install silently via a private Galaxy Apps API. The only check made by the API is that the APK being installed has the package name com.epicgames.fortnite. An attacker can use a fake APK with the same package name to silently install the malicious code.
“If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure,” continues the researcher.

Below a video PoC of the attack shared by Google researcher and published by BleepingComputer:

Epic Games is disappointed by the way Google has disclosed the bug, the CEO Tim Sweeney explained to have asked Google wait more time to allow the new update to be installed by a large part of its players, but the company immediately published the news due to the risks for Android users.

“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” Sweeney said on Twitter.

Tim Sweeney
@TimSweeneyEpic
· Aug 25, 18
Replying to @manfightdragon and 2 others
Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update.

The only irresponsible thing here is Google’s rapid public release of technical details.

Tim Sweeney
@TimSweeneyEpic
We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points.

7:34 AM - Aug 25, 18
14
16 people are talking about this
Twitter Ads info and privacy
Is this a Google’s revenge because Epic Games is not distributing the Fortnite Android App?
Google, that is monitoring the installations of the game, privately explained to Epic Games CEO that there weren’t many unpatched installs remaining.

Lance McDonald
@manfightdragon
· Aug 25, 18
Replying to @TimSweeneyEpic and 3 others
I noticed in the bug tracker they just said "As per the email" with regard to choosing only to wait 7 days. Did their email elaborate at all on why they did this? It seems like there's no good reason for it.

Tim Sweeney
@TimSweeneyEpic
Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining.

7:56 AM - Aug 25, 18
1
See Tim Sweeney's other Tweets
Twitter Ads info and privacy
But while a reason was not left in the original bug report, in a subsequent tweet, Sweeney revealed that Google engineers provided an explanation for their decision in private.