Fortnite installer for Samsung devices was initially vulnerable to invisible malware

Written over 1 year ago by IanDorfman

Android users that jumped on the release of Fortnite as soon as it was made available on the platform may have suffered an attack on their devices without noticing it.

Back in the first week of August, Fortnite developer and publisher Epic Games announced that the Android version of its worldwide hit Fortnite will not be listed on the Google Play Store, with users that wish to play the game on their Android devices needing to install the game directly. Early versions of the Small Android iconAndroid Fortnite Installer app provided directly via Epic Games' website were vulnerable to interception and malware injection on users, all without them noticing the attack.

The vulnerability, first publicly disclosed by Google on August 15th, allowed attackers to implant malware into the Fortnite Installer app by replacing the "com.epicgames.fortnite" APK that it is supposed to download with any other file that uses the same name. This is referred to as a man-in-the-disk attack.

Epic patched the launcher within a the span of a little over a day, releasing the upgraded version on August 16th.

As this vulnerability was strictly enabled via a design flaw in the Epic-designed Fortnite Installer app downloaded from the company's website, this would not have occurred if Epic had released the game on the Small Google Play Store iconGoogle Play Store.

Additional coverage:
Android Central
Ars Technica