Google identified the flaw, which has since been patched
After Fortnite for Android arrived independently of the Google Play Store, Google has revealed that a flaw in the game's installer left players' devices vulnerable to being hacked.
The news brings a measure of validation to the security experts who criticised game developer Epic's decision to bypass Google's distribution platform, warning that encouraging users to side-load Fortnite would expose them to unnecessary security risks.
Disclosed on Google's Issue Tracker site for Android developers, the bug in Epic's initial Fortnite installer for Android allowed malicious apps on phones to hijack the Fortnite installer in order to download and install malware. What's more, it let them do it in the background, meaning that an app didn't need to flag to users that it was downloading content to the device.
Google did contact Epic over the issue, allowing the developer to update the Fortnite installer on Android before Google went public with the vulnerability, although Epic CEO Tim Sweeney still called Google irresponsible for not waiting until more people had applied the update.
Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update.
The only irresponsible thing here is Google%u2019s rapid public release of technical details.
— Tim Sweeney (@TimSweeneyEpic) August 25, 2018
Fortnite on Android hack: What is the vulnerability?
When you download Fortnite for Android from Epic's website, you're actually just downloading an installer, rather than the full game. The Fortnite installer then does the heavy lifting, downloading the game in its entirety directly from Epic's servers.
The problem with this, as Google's security team discovered, is that Epic's Fortnite installer was easy to exploit. In theory, hackers could hijack the request from the Fortnite installer to Epic's servers and instead download something else when you tap the "download" button in the app.
This may not sound like much of an issue, but all it takes is one unsavoury app lying in wait on your phone to take advantage of this exploit. Given the popularity of Fortnite, and its highly anticipated release on Android, it's likely to be a target of hackers.
What makes matters worse is that once you've given the Fortnite installer a chance to download an app in the background, it never needs to ask for permission to do so again. Because the Fortnite installer is a 'dumb' app, it doesn't know which servers it's downloading from, it just knows it's being used to download something, so it can't flag a dodgy install.
Google posted a proof-of-concept video showcasing just how easy it is for a user to think they're downloading Fortnite when, in actuality, they're downloading a malicious app to their phone. The video can be downloaded in .mp4 format here.
It should, of course, be noted that Google has a vested interest in finding vulnerabilities in Fortnite and its distribution. By releasing Fortnite for Android outside of the Play Store, Epic Games keeps the game's revenues for itself, without paying Google the 30% cut it demands for hosting apps in its own market. Fortnite was making $1.2 million per day on average when it first arrived on iOS.
If Epic is successful in distributing Fortnite outside the Play Store, it could lead other developers to jump ship too, so Google has an incentive to prove security experts' fears right.
Fortnite on Android hack: How to make sure your phone is safe
Those now concerned about downloading Fortnite on Android needn't be. Epic has stated that it fixed the exploit fewer than 48 hours after being alerted to the flaw.
Those who currently use the original installer simply need to update to the latest version - 2.1.0 or newer. You can check to see if you're running this by launching the installer and heading to Settings. If you've somehow ended up installing an earlier version of the Fortnite installer, you won't be able to download Fortnite until you update to version 2.1.0.
If you're still worried about the vulnerability, you can uninstall Fortnite and its installer and reinstall them both. You should also run a scan with Google Play Protect to identify if any malware has been installed on your phone. You can do this by heading to the "My apps & games" section of the Google Play Store and tapping the "Play Protect" icon at the very top of your list of apps.