Fortnite’s not so Epic installer PP

Fortnite. A game the whole world has become addicted to, except for me and my cat, has reached Android. Though with a twist. You won’t find it within the Play Store as Epic have decided to distribute the game outside of Google’s walled garden. Supposedly this is to save on the percentage Google takes for providing a storefront, backend CDN, payment processing and other ancillary services. In reality though, there’s a darker truth.

To install Fortnite you’ll need to carry out a procedure known as side loading also referred to as allowing unknown sources. This is where a device is told to install a program that hasn’t come from an authorised location, like Google Play or the App Store on iOS. Enabling side loading isn’t necessarily a difficult thing to do but it’s dangerous. You’re opening a metaphorical back door to your phone or tablet, allowing other potential nasties inside. All so Epic can save a few pennies per installation, per user.

Now sure you can disable side loading just as quickly. But I’m thinking about the huge swathes of younger players without device security in mind and simply want to play the game. I can see a lot of devices with their side loading features being inadvertently left on.

This is where the ‘fun’ starts.

Mark my words. It’s more a matter of when, not if, hackers start producing viral payloads, Cryptocurrency miners and all sorts of digital nasties, masquerading as the Epic Fortnite installer. If an app asked you to lower your defences, I’d hope you’d think twice about it. Yet, Fortnite cannot install without Android’s side loading capabilities turned on. I fear this will not only leave many devices unsecured, but will train end users that this sort of behaviour is OK. The next time malware tries to get onto a phone it could well be a easier prospect.

Still, at least if you grab the truly official Epic installer it will be trustworthy, right?

Google has just publicly disclosed that it discovered an extremely serious vulnerability in Epic’s first Fortnite installer for Android that allowed any app on your phone to download and install anything in the background, including apps with full permissions granted, without the user’s knowledge.

[…] Google’s Issue Tracker page for the exploit has a quick screen recording that shows just how easily a user can download and install the Fortnite Installer, in this case from the Galaxy Apps Store, and think they’re downloading Fortnite while instead downloading and installing a malicious app, with full permissions — camera, location, microphone, SMS, storage and phone — called “Fortnite.” It takes a few seconds and no user interaction.

Andrew Martonk, Android Police.

Oh for the love of…

01 September, 2018