Twitter | Search | |
Andrew Martonik
Well here's a fun Friday news story on : Epic's first Fortnite installer allowed hackers to download and install anything on your Android phone silently (tip )
Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic's first Fortnite installer for Android that allowed any app on your phone to download and install...
Android Central Android Central @androidcentral
Reply Retweet Like More
Andrew Martonik Aug 24
Replying to @andrewmartonik
With the way the first Fortnite Installer was designed, you could tap "download" thinking you're getting Fortnite and instead get a massive payload of malware. Apps downloaded would install silently, and have full permissions to access *everything* on your phone short of root.
Reply Retweet Like
Andrew Martonik Aug 24
Replying to @andrewmartonik
This is irrespective of whether you turned off "unknown sources" installs, because you approved the initial install. So it's able to download and install further apps on its own without user approval or interaction.
Reply Retweet Like
Andrew Martonik Aug 24
Replying to @andrewmartonik
Epic was notified the morning of August 15, and had the fix deployed by the evening of August 16. It pushed an automatic update to its installer, so anyone who downloaded Fortnite after that point was no longer vulnerable. The problem is, millions downloaded before that.
Reply Retweet Like
Andrew Martonik Aug 24
Replying to @andrewmartonik
This is the type of thing that would likely be caught when the app was submitted to Google Play. And even if it wasn't, Google Play Protect could find this problem and retroactively kill the app on user's devices.
Reply Retweet Like
Andrew Martonik Aug 24
Replying to @andrewmartonik
Even still, Google's security team was the one to find this problem. Google *really* cares about security of Android as a platform, not just apps that come from the Play Store.
Reply Retweet Like
Andrew Martonik Aug 24
Replying to @andrewmartonik
There's no spiking the football here, but this is *exactly* the type of vulnerability that we were worried about when the news of the direct distribution mechanism came out. One misstep on an app this popular, and you just exposed millions to a *really* bad vulnerability.
Reply Retweet Like
Andrew Martonik Aug 24
Replying to @andrewmartonik
Perhaps the best part about this whole process was Epic asking Google to keep its disclosure of the vulnerability private even after it had fixed the problem and Google basically saying "lolno" and disclosing the whole thing publicly.
Reply Retweet Like
Mishaal Rahman Aug 24
Hey, I don't think it affects every Android device. The Issue Tracker says it uses a Galaxy Apps API to let the Samsung Installer silently install the app in the background. That can't happen on non-Samsung phones without the Galaxy App Store.
Reply Retweet Like
Andrew Martonik Aug 24
This affects every Android phone. The only difference is whether the user got the Fortnite Installer from Galaxy Apps or installed it directly. If the user installed directly, they would have already approved the first install, and don't get a prompt for subsequent installs.
Reply Retweet Like
Andrew Martonik Aug 24
This was disclosed to Epic when the only official place to get the Fortnite Installer was from Galaxy Apps. I think that's leading to confusion.
Reply Retweet Like
Mishaal Rahman Aug 24
You're conflating two different things. 1) "Unknown install" option. 2) The prompt to install the APK. Fortnite Mobile and Fortnite Installer are two different APKs. Just because you install the latter doesn't automatically mean the former can be installed silently.
Reply Retweet Like
Andrew Martonik Aug 24
I think you're arguing semantics, not whether the vulnerability is valid on non-Samsung phones. This vulnerability allows a malicious app on any Android phone to replace the Fortnite installation during the installation process without any additional request for permission.
Reply Retweet Like
Mishaal Rahman Aug 24
That means this only happens on Samsung phones: "Meaning any app that the Fortnite Installer installs will be installed silently, in the background, without any confirmation other than tapping that "download" button once."
Reply Retweet Like
Andrew Martonik Aug 24
Happy to attempt to clarify the wording, but the meat of the issue is the same. You install Fortnite as expected, but you just installed something else.
Reply Retweet Like
Zachary Wander Aug 24
Yeah, but it still only really affects Samsung devices. Any other device, and there's no silent installation. It's still possible to install a fake version of Fortnite, but that's always the case when installing from outside a trusted source.
Reply Retweet Like
Andrew Martonik Aug 24
The process is only slightly different on non-Samsung devices. You get a request to install from unknown sources, which you expect when downloading outside of Google Play, and that download is a malicious app instead of Fortnite.
Reply Retweet Like
Zachary Wander Aug 24
And unless that Samsung API just blows away any old Fortnite APK (even the silent package installer should check the signature, unless Samsung completely bypassed that), then it wouldn't be possible to "update" to a fake version.
Reply Retweet Like
Mishaal Rahman Aug 24
You're missing a step: You get another prompt "are you sure you want to install this app?" The standard package manager prompt.
Reply Retweet Like
Andrew Martonik Aug 24
Yeah the update vulnerability worry isn't really there, because it no longer has the correct permissions to do so. The problem is the initial one that was out there had the wrong permissions and let malicious apps hijack the first Fortnite download.
Reply Retweet Like