Google security researchers have revealed last week that the immensely popular Fortnite Android app is vulnerable to man-in-the-disk (MitD) attacks.
This vulnerability allows low-privileged malicious apps already installed on a users’ phone to hijack the Fortnite app’s installation process and install other malicious apps that have a higher permissions level.
Fortnite’s developer, Epic Games, has released version 2.1.0 that fixes this problem.
What are MitD attacks?
Simply put, MitD attacks can happen when an Android app stores data on external storage mediums, outside its highly-secured internal storage space. An attacker can watch a specific app’s External Storage space and tamper with the data stored because this space is shared by all apps.
The Fortnite app is vulnerable to these types of attacks because the app doesn’t contain the actual game, but is merely an installer. Once users install the app, the device accesses the external storage space to install the actual game.
“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK,” a Google researcher wrote in a recent public bug report.
“If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure,” the researcher added.
In their defense, Epic Games’ CEO Tim Sweeney claims Google released this information prematurely.
“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” Sweeney said on Twitter.
Google refused Epic Games’ request and made the bug report public in late August, a week after Epic Games released its patch. This made many people believe this was payback after Epic Games pulled the Android app from the Play Store so the game developer could keep 100% of the games’ profits.
The move was criticized by many security experts, who warned about possible security flaws that might go under the radar because the app wasn’t scanned by Google’s Bouncer service before reaching users’ devices.
“Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining,” Sweeney said.
Whether Epic Games or Google is in the right or wrong is up to you decide, but security risks are happening all around us… at the office, at home, free public Wi-Fi… The question is: how secure are your devices and how much of your personal identity information is at risk?
Contact us for questions, concerns, and how you can protect yourself, your family, and your business from cyber-criminals.
*Original Source: BleepingComputer.com