08-27-2018, 02:33 PM
Security researchers from Google have recently disclosed a dangerous flaw in the very first Android installer for the popular video game Fortnite. This flaw allows other apps installed on the phone to manipulate the installation processes and run malicious programs, and not the Fornite APK.
Researchers warned Epic Games that making their game available through the google play store and not through their own app, would require users to disable important security features to help in installing the APK. These warnings turned out to be true.
In a video published by Google, they showed how a "Man-In-The-Disk" attack vector, in short, this type of attack allows malicious app to alter the data of other apps held in unguarded external storage before they read it, this leads to the installation of undesired apps instead of the original apps.
For those who are not aware, to install the Fortnite app on an Android phone, the user needs to install a helper app, to "help" install the Fortnite APK. What was discovered was that any app on an Android phone with the WRITE_EXTERNAL_STORAGE permission could intercept the installation file with malicious APKs.
With these malicious APKs, an attacker could have access to user SMS, call history, GPS, even the camera.
Epic Games recommended their users to update their installers to the latest version, 2.1.0. It is unclear whether the flaw was exploited in the wild.
---Sh7nk-Z0id