Epic Games, the developer of Fortnite, caused a massive upheaval in the app market when it decided to launch the mobile version of the popular game through its own platform rather than Google’s Play Store. In hindsight, that probably won’t go down as a good choice.
Google has revealed a few gaping security loopholes in the game’s launcher on Android and Epic Games is having none of it. The CEO even blamed Google for scoring “cheap PR points”.
As for the flaw, Fortnite’s custom installer app can allow hackers to install malicious apps on a user’s phone, without the user knowing about it, though a Man-in-the-Disk (MitD) attack.
How it Works
The attack makes use of the launcher’s access to external storage devices, like a microSD card. Since the launcher only checks the name of an APK file while accessing them, any other malicious app can be installed without the user knowing.
The issue has thankfully been resolved, as Google first informed Epic Games of the bug’s presence on August 15 (it was fixed within two days). Though that doesn’t prevent Epic Games from feeling a bit used here.
Epic Games’ Request
The company requested Google not to disclose any details regarding the bug for at least 90 days, which is the usual time limit Google allows respective companies when it first discovers a bug in their software or, like in Intel’s case, hardware.
However, Google immediately went public with the knowledge, in a bid to score what Epic Games CEO calls “cheap PR points”. The company claims it wanted to make more people install the bug fix before it made the security issue known to malicious parties.
Still, the incident could probably go on to convince developers to launch their apps on the Play Store rather than through other platforms.