Google has raised the alarm on the immensely popular Fortnite Android app, warning it has a severe security flaw, which could expose millions of gamers to malware.
Fortnite developer Epic Games decided to bypass the Google Play Store and make the app available on their website to avoid paying 30% store tax. While distributing outside the Play Store makes perfect sense to the company, it may put their customers at increased risk of malware infections – installing apps from sites other than Play Store means that users need to turn off the default security settings. And this is where hackers are waiting to catch their victims.
According to researchers, the vulnerability exists in the Fortnite Installer, which allows rogue apps to interfere with the installation process and make users download malware instead of the game.
Experts agree that the Google Play Store isn’t perfect, but it is way more riskier to disable the default security settings on your Android device to download apps from third-party sources. Assuming you may forget to turn those settings on again, you could leave your smartphone open to attack.
The Man-in-the-Disk Attack Vector
Google developers and security researchers discovered the dangerous flaw in the Fortnite installer app right after the game was launched.
To install the popular game to your Android, you first need to get the Fortnite Installer app, which downloads Fortnite to your phone’s storage. As it turns out, an attacker can use other apps that declare WRITE_EXTERNAL_STORAGE permission to hijack the installer and silently inject malicious software.
The so-called Man-in-the-Disk (or MiTD) attack was only possible because the installer wasn’t designed with security in mind. Therefore, the hackers behind the attack could easily trick the app into thinking it was installing the game, while it was actually downloading malware.
Fortunately, Epic Games quickly issued a fix for the exploit and deployed it to all users who had installed the vulnerable app. However, if you are worried about the safety of your data, you can delete Fortnite and the Fortnite Installer, and reinstall them once again. This way you will know for sure you have the patched versions of these apps.
How to protect your Android phone from the MitD attacks
Getting your device infected with malware is no fun. Therefore, Internet users must take some important steps to protect themselves from attacks like this. Whether you are a Fortnite fan or simply are worried about your privacy and security, be sure to follow these tips:
Don’t ignore updates.
The most straightforward way to secure your phone is to install updates, as they often contain patches to critical security vulnerabilities. And yet, many Internet users tend to postpone updates until they have more time. Never do that – if an update is there, be sure to get it.
Keep your phone clean.
Given the Fortnite hack relies on malicious apps that already exist on a user’s phone, do some cleaning to make sure there aren’t any untrusted apps on your device. If you no longer use an app, delete it as it may be secretly helping cyber criminals without you knowing it.
Be extremely careful when downloading apps from unofficial sources.
Or better still – make the Google Play Store your only place for downloading apps. Google has a strict reviewing process for each new app, allowing only credible ones to make it to the Play Store. If you’re not sure if a particular application is safe to use, do some research. Read user reviews and Google the app name to see whether it has any security issues.
Disable the installation of non-official apps.
To do that, go to Settings ► Security and slide left to turn off Unknown sources.
For general privacy and security, use a reliable VPN service.
VPN service will encrypt your internet traffic, keeping it safe from anyone who might want to intercept it. Even if a hacker manages to intercept your communications, they won’t be able to decipher it. Look for a VPN provider that uses robust security protocols and offers advanced security features to protect your Android device.
Avoid public Wi-Fi hotspots.
Usually public Wi-Fi hotspots are often left unsecured. Hackers especially love unprotected networks and have many ways to invade your privacy if you aren’t careful.
Use a trusted antivirus program.
If you’re not using an anti-malware app on your Android device, then you’re putting it at risk of being infected by corrupted apps and other malicious threats. A good antivirus will look for malware and will send you notifications if it finds anything suspicious.