Vulnerability spotted in Fortnite Android installer

After Fortnite for Android arrived independently of the Google Play Store, Google has revealed that a flaw in the game's installer left players' devices vulnerable to being hacked.

The news brings a measure of validation to the security experts who criticised game developer Epic's decision to bypass Google's distribution platform, warning that encouraging users to side-load Fortnite would expose them to unnecessary security risks.

Disclosed on Google's Issue Tracker site for Android developers, the bug in Epic's initial Fortnite installer for Android allowed malicious apps on phones to hijack the Fortnite installer in order to download and install malware. What's more, it let them do it in the background, meaning that an app didn't need to flag to users that it was downloading content to the device.

Google did contact Epic over the issue, allowing the developer to update the Fortnite installer on Android before Google went public with the vulnerability, although Epic CEO Tim Sweeney still called Google irresponsible for not waiting until more people had applied the update.

See more

Fortnite on Android hack: What is the vulnerability?

When you download Fortnite for Android from Epic's website, you're actually just downloading an installer, rather than the full game. The Fortnite installer then does the heavy lifting, downloading the game in its entirety directly from Epic's servers.

The problem with this, as Google's security team discovered, is that Epic's Fortnite installer was easy to exploit. In theory, hackers could hijack the request from the Fortnite installer to Epic's servers and instead download something else when you tap the "download" button in the app.

This may not sound like much of an issue, but all it takes is one unsavoury app lying in wait on your phone to take advantage of this exploit. Given the popularity of Fortnite, and its highly anticipated release on Android, it's likely to be a target of hackers.

What makes matters worse is that once you've given the Fortnite installer a chance to download an app in the background, it never needs to ask for permission to do so again. Because the Fortnite installer is a 'dumb' app, it doesn't know which servers it's downloading from, it just knows it's being used to download something, so it can't flag a dodgy install.

Google posted a proof-of-concept video showcasing just how easy it is for a user to think they're downloading Fortnite when, in actuality, they're downloading a malicious app to their phone. The video can be downloaded in .mp4 format here.

It should, of course, be noted that Google has a vested interest in finding vulnerabilities in Fortnite and its distribution. By releasing Fortnite for Android outside of the Play Store, Epic Games keeps the game's revenues for itself, without paying Google the 30% cut it demands for hosting apps in its own market. Fortnite was making $1.2 million per day on average when it first arrived on iOS.

If Epic is successful in distributing Fortnite outside the Play Store, it could lead other developers to jump ship too, so Google has an incentive to prove security experts' fears right.

Fortnite on Android hack: How to make sure your phone is safe

Those now concerned about downloading Fortnite on Android needn't be. Epic has stated that it fixed the exploit fewer than 48 hours after being alerted to the flaw.

Those who currently use the original installer simply need to update to the latest version - 2.1.0 or newer. You can check to see if you're running this by launching the installer and heading to Settings. If you've somehow ended up installing an earlier version of the Fortnite installer, you won't be able to download Fortnite until you update to version 2.1.0.

If you're still worried about the vulnerability, you can uninstall Fortnite and its installer and reinstall them both. You should also run a scan with Google Play Protect to identify if any malware has been installed on your phone. You can do this by heading to the "My apps & games" section of the Google Play Store and tapping the "Play Protect" icon at the very top of your list of apps.

Freelance writer

Vaughn Highfield is a seasoned freelance writer with more than 10 years experience in content strategy and technology journalism.  

Vaughn is a self-described ‘wordsmith and UX wizard’, covering topics spanning cyber security, cryptocurrency, financial technology, and skills development. 

From 2015 to 2018, he served as a senior staff writer at Alphr before assuming the role of associate editor. In his role as associate editor, Vaughn was responsible for a range of duties, including the publication’s long-term content strategy, events coverage, editorial commissions, and curation of the Alphr newsletter. 

Prior to this, Vaughn held in-house roles at PCPro and Terrapinn Digital in addition to freelance marketing and content strategy activities with The Gamers Hub and Magdala Media.