Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic’s first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user’s knowledge. Google’s security team first disclosed the vulnerability privately to Epic Games on August 15, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.
In short, this was exactly the kind of exploit that Android Central, and others, had feared would occur with this sort of installation system.
Everybody rang the alarm bells about Epic distributing its Fortnite game outside of the Play Store, asking users to enable installation from untrusted sources, and here we are – the warnings were justified. Incredible.
Don’t install this garbage unless you know what you’re doing. It’s clear Epic cares more about its bottom line than its – often very young – players.
From what I understand, this is a beta invite only version. It was patched, and I dont know if there is an auto update in place.
Facebook does auto updates outside the play store on android, thats fking creepy.
Back to this gaming on android thing, lets pretend its a console and it happens….
Shame on the developer!!!! They should have at at least, at the very minimum! submitted the app to the play store and run it through the process. A company that big should have a play store account.
I think google and everyone has share the blame.
This includes the user, your phone is not a console dammmit!!
My phone is my phone and you have no standing to try to tell me what I can and cannot use it for, you self righteous, ignorant, foul-mouthed, jerk. You really have some awful nascent dictatorial qualities about you. You want to force companies to do things and you feel you have the right to control what people do with their possessions.
I’ll reply to you once I get a proper os/keyboard on my hands
2 1/2 days later…
> Google still managed to catch this vulnerability even though the app isn’t being distributed through the Play Store
Biggest game of the day decides to skip their store, and they casually scan their installer and find 0-days of sorts, yup… totally innocent…
So, does Google detect apps from their store that “look for requests to download something from the internet and intercepts that request to download something else instead, unbeknownst to the original downloading app” making this a non-issue then?
What I’d like to know is how this is allowed to bypass the OS-provided permissions prompts that I encounter every time I update an application installed by F-Droid . Does the Fortnight installer request every permission it thinks the game might ever possibly need and then implement its own promptless permissions system underneath that?
Edited 2018-08-25 04:04 UTC
Seems like they knew the ramifications before publishing. The public that trusted them should be given a full account of who had the knowledge and any details of abuse.
Seems convenient for sovereign entities marketing free stuff to ignorant masses to basically root their devices and steal their intellectual interests. The KGB and PRC have to love this conduit into American homes.
What is this KGB you talk off? Kakadu Googlygook Bureau?
Everyone knows that the US is the one listening to everything and stealing intellectual property. Even Kakadu Googlygook Bureau isn’t half as bad.
The out of the ordinary thing here is not that a software provider deployed software to a user’s device that weakened it’s security and provided a new attack vector.
This will be standard practise on platforms that do not certify/manage app installs (read, any OS that doesn’t use a ‘store’ model), and 99% of the time goes un-noticed.
The out of the ordinary thing is that Google did some research and discovered it in Epic’s app, and promptly instigated having it fixed, making sure everyone knew it did so.
Brilliant calculated political statement by Google given the discussion regarding app stores Epic had stirred.
Edited 2018-08-27 14:51 UTC
I don’t understand, Thom. You’ve dedicated quite a bit of space on this website to editorializing against app stores like Google Play. Now you are criticizing Epic for not distributing their beta through Google Play?