Just as critics feared, Fortnite for Android came with an epic security risk

Epic Games has already patched the hole, but it's not a great look.

Gordon Gottsegen CNET contributor
Gordon Gottsegen is a tech writer who has experience working at publications like Wired. He loves testing out new gadgets and complaining about them. He is the ghost of all failed Kickstarters.
Gordon Gottsegen
2 min read

After watching friends play Fortnite on their iPhones for months, you may have downloaded the game the second it became available for your Android phone. I get it. But doing so could have put you at risk.

As spotted by Android Central, Google has disclosed a huge vulnerability in Epic Games' original Fortnite installer for Android, one that could have taken advantage of the Fortnite installer to install and launch a rogue app, and even give that app access to your phone's data without you ever knowing. 

For the attack to work, it sounds like you would have already needed to have a piece of malware on your phone, ready and waiting to strike. But not a particularly sophisticated one. After you ask the Fortnite Launcher to download Fortnite, Google claims that any app with the WRITE_EXTERNAL_STORAGE permission would have been able to sneakily replace the real Fortnite app with a fake one after security checks were already complete. It's known as a "man-in-the-disk" attack.  

Worse, the Fortnite installer might have automatically granted a fake app all the permissions it requests (access to microphone, location, SMS and so on), giving it an incredible amount of power over your data. That's because the Fortnite installer tries to sidestep the permissions step -- when Google asks you if you want to give new apps access to certain things on your phone, which the Google Play Store includes by default.

Samsung Galaxy Note 9 Fortnite

Fortnite on the Samsung Galaxy Note 9.

Sarah Tew/CNET

CNET was one of many who raised concerns weeks ago when it found out that Epic Games was sidestepping the Google Play Store with its own special installer, because of the risks it could potentially cause for people downloading the game. Sounds like those concerns were warranted. 

Fortunately, the vulnerability didn't last long. Fortnite became available for Android on Aug. 9, starting with Samsung Galaxy devices, and then became available for all of Android on Aug. 12. Google brought the vulnerability to Epic Games' attention on Aug. 15. Epic Games immediately acknowledged its mistake and fixed the bug with version 2.1.0 of the launcher on Aug. 16. 

This means that there was only a one-week window when people could've have been affected, and there's no indication that anyone actually was. Still, with an app as hyped as Fortnite, there would have been significant incentives for hackers to give it a try.   

Epic Games didn't immediately respond to a request for comment, but Epic CEO Tim Sweeney has been publicly questioning whether Google did the responsible thing by disclosing the vulnerability this early:

Google provided the following statement: "User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue." Here's Google's vulnerability disclosure policy.

Watch this: Fortnite's Gamescom booth is a bonkers gamer's paradise

The coolest Fortnite merch you can buy

See all photos

Update, 12:12p.m. PT: With Google statement