When Epic Games, developer of the popular game Fortnite, announced they would be distributing their game outside of the Play Store on Android devices, many people eyed the decision with suspicion. The Play Store, like other major distribution platforms, has mechanisms in place to verify the integrity of an app. Epic Games claimed the risk of distributing the app this way was minimal.
On August 15th, an issue was posted to the Google issue tracker highlighting a serious flaw in the Fortnite installer that could allow it to be used to install any app an attacker chooses.
The flaw is very simple; Epic Games distributes the Fortnite Installer, and this app then downloads, verifies and installs the .apk that contains the game itself. Unfortunately, the Fortnite Installer would only check the name of the .apk after the download and verification phase. An attacker can simply swap the name of a malicious app for that of the Fortnite download and the Fortnite Installer would install the malicious app.
On Samsung devices, this attack becomes even easier because the Fortnite Installer uses the Galaxy Apps API, which only checks that the package name is com.epicgames.fortnite.
All of this stems from Epic Games rolling their own verification methods instead of relying on the Play Store to perform cryptographic verification. This also does nothing to protect users against maliciously modified versions of the installer. Another popular game, Minecraft, has been used as a pretext to convince users (predominantly children) to install ‘hacked’ or ‘modded’ versions with promises of cheats. Expectations are high for Fortnite to be used the same way, especially when users already know that the legitimate game is not available via the Play Store.
A fixed version of the installer has already been released and the installer will update itself when launched.