Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Android Security Games

Epic's First Fortnite Installer Allowed Hackers To Covertly Download and Install Anything on Users' Android Phones, Google Researchers Say (androidcentral.com) 39

Posted by msmash from the how-is-the-experiment-going-buddy?-Love-Google. dept.
Epic decided to ditch Google Play Store for its sleeper hit Fortnite. By doing so, while Epic may have saved some money that it would have had to split with Google, it also ran into an issue that it could have avoided had it not parted ways with Google. AndroidCentral reports: Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic's first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user's knowledge. Google's security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.

[...] When you go to download "Fortnite" you don't actually download the whole game, you download the Fortnite Installer first. The Fortnite Installer is a simple app that you download and install, which then subsequently downloads the full Fortnite game directly from Epic. The problem, as Google's security team discovered, was that the Fortnite Installer was very easily exploitable to hijack the request to download Fortnite from Epic and instead download anything when you tap the button to download the game. It's what's known as a "man-in-the-disk" attack.
This discussion has been archived. No new comments can be posted.

Epic's First Fortnite Installer Allowed Hackers To Covertly Download and Install Anything on Users' Android Phones, Google Resea More

Epic's First Fortnite Installer Allowed Hackers To Covertly Download and Install Anything on Users' Android Phones, Google Resea

Comments Filter:

  • That's just Epic's stupid way of doing things (Score:2, Insightful)

    by Anonymous Coward

    They have an installer for everything, or a "launcher" which is an repackaged web browser that downloads things for you or lets you access their web store for content.

    Epic could let you just download directly from your browser but then the walled garden Apple wanna-be aspirations would be gone.

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Friday August 24, 2018 @10:40PM (#57190844)
    Comment removed based on user account deletion

  • Epic Fail?

  • Leave it to Samsung to write code that allows apps to install without asking you to confirm permissions.

  • Android is broken... but you can fix it yourself with the source code!

    • If I ever got a mod point I'd probably give that one a funny, though there's an element of insight, too. Other aspects of the problems are too obvious for comment.

      Instead, I'll just ask again for solution approaches. Obviously signed code from reliable sources is one, but I'd prefer to see the Google stop abusing everyone and start using some of the information in our favor. In the Android app case, that would involve sharing the financial information to help the potential victims recognize the probably cro

  • How many of these other applications that use similar installers have such vulnerabilities (irrespective of program, or the platform they run on)? This is a trend I'm seeing a lot, "installers" that download the program, rather than just installing them.

Slashdot Top Deals

...though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, "The Peace War"

Close