You may want to avoid this party bus for a while.
A storm of security issues is closing in on the Android version of Fortnite. And it isn’t likely to pass anytime soon.
Developer Epic Games just fixed a security flaw with Fortnite’s installer for Android devices, but researchers are expecting a flurry of problems for the online game as it gets more popular on Android.
That’s because Fortnite isn’t available through Google’s Play Store. Epic instead chose an unorthodox — and more dangerous — route for the game’s fans. Rather than download it through the official Google app store, players need to download the game and “sideload” the app on their Android devices instead.
That Epic is allowed to do this underscores why Google’s Android often gets knocked for its security chops. While Apple locks down its iPhone so you can only download apps through its App Store, Android lets you download programs in multiple ways. But that freedom comes at a risk: Apps outside of the Play Store are nine times more likely to be malware, according to Google.
With Fortnite’s influence over more than 125 million players, teaching people to download apps outside of the official store is exposing millions of people to a risky practice, researchers warned. Even if Epic means no harm, other apps may have more nefarious intentions.
“The problem with Fortnite is that it’s so attractive, and people are going to think sideloading is completely normal,” said Craig Williams, a security researcher and outreach director for Ciscos’ Talos Intelligence Group. “They’ve made themselves an attractive target.”
Why is Epic going around Google? It doesn’t want to give up the 30 percent revenue cut that all app makers must share with the search giant. And given how insanely popular Fortnite has proven — with players willing to fork over real money for taunts and skins — that means significantly more revenue for the developer.
Fortnite’s Android fans, however, may end up paying the real price.
What was the vulnerability?
It didn’t take long for a problem to crop up. Just two days after Fortnite became available on Android, a Google engineer discovered a vulnerability that could let a hacker replace the app with a fake version of the game — known in cybersecurity circles as a man-in-the-disk attack because it uses openings with external storage like your SD card to install malware.
Google said in a statement that it immediately notified Epic about the vulnerability.
Epic Games fixed the vulnerability with a patch on Aug. 16 and requested that Google keep it under wraps for 90 days so players would have plenty of time to install the patch before the vulnerability became public.
Instead, Google alerted the public a week later. Epic Games CEO Tim Sweeney criticized Google for disclosing the flaw so soon, arguing that it wasn’t enough time to roll the patch out for everybody. Sweeney accused Google of trying to “score cheap PR points.”
But Scott Helme, an independent security researcher from the UK, said the seven-day period was normal.
“You always want to disclose earlier because it informs people that they need to go patch right now,” Helme said. “People are far more likely to update now rather than next week or next month.”
Sweeney’s reaction — lashing out at Google for following a standard security practice — suggests Epic might not fully grasp the magnitude of the potential cybersecurity risks.
But Epic still finds some fault with Google’s approach.
“Google’s security analysis efforts are appreciated and benefit the Android platform,” Sweeney said in a statement. “However a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
The debate over publicly disclosing the vulnerability would’ve been rendered moot had Epic just launched the game on the Play Store.
Google can more easily get the word out on the need for a patch, as well as push updates through the Play Store. It’s an entirely different process for sideloaded apps, Helme said.
Sweeney said in a tweet that the installer only updates when the game is running. That means you can only get the fix when you start playing Fortnite. If you haven’t touched the game in days or weeks, your installer is still vulnerable, which researchers warn puts your device at risk.
Still, don’t expect Epic to bring Fortnite to the Play Store anytime soon, despite the security issue flaring up just as many people had warned.
“It kind of came back to bite [Epic Games] in the ass,” Helme said.
And it isn’t just from Epic itself. Within the first day after the developer released Fortnite for Android devices, Helme said fake Fortnite games made up nearly a third of the malware samples discovered that week.
When Williams saw the surge of fake Fortnite apps spamming the web, it was mostly adware-bloated versions of the game. Scammers were offering the same gaming experience, but making a quick buck off of advertising to their victims.
The fake versions were simple and couldn’t cause massive damage like stealing your account credentials or rooting your devices, he noted.
But as Epic Games keeps requiring players to sideload Fortnite on Android and the game becomes more popular, it’ll only get worse.
“What we’re seeing right now is the low-hanging-fruit forms of malware,” Williams said. “As time goes on, we’re going to see more complex samples take root.”
Originally published Aug. 28 at 5:00 a.m. PT.
Updated at 9:38 a.m. PT: Added a statement from Epic Games.