Epic Games made headlines by announcing that it would not distribute Fortnite through the Play Store. By offering the game for download on its website, Epic Games can avoid paying Google a 30% reduction in sales purchased within the app. However, when installing APK files outside the Play Store require disabling some security features and are not for novice users. Many observers were concerned that this technique would cause problems, and it didn’t take long for Epic Games to discover that those considerations were justified. The first installer of Fortnite for Android had a flaw that could allow other apps to load malware at the in-game position.
To install Fortnite on your Android phone, you must first install a “helper” app that downloads the game into your phone’s garage memory and installs it. It turns out that any app on a user’s phone with permission can WRITE_EXTERNAL_STORAGE intercept the installation. Command and update APK. For example, one that has a lot of malware. This is called a man-on-the-disc attack.
On Samsung phones, which had a short-lived exclusive on Fortnite, the game is installed via a private Galaxy Apps API that makes the process even easier. Any app with the right package name (com.epicgames.fortnite) can pretend to be Fortnite and get itself installed silently in the background. Again, that could be malware.
Google’s developers detected this flaw as soon as the game was released on Android. An Android factor tracking thread provides details and video evidence of the vulnerability. Epic Games responded and got to work fixing it. In all honesty, it has released a new edition of the installer that doesn’t allow APK replacement in a few days. However, this does not absolve Epic Games of its liability. Its decision to bypass the Play Store has already put users at risk. Who’s to say that something like this might not happen again?It may seem like a smart business decision to distribute outside of the Play Store, but Epic can also harm itself in the long run if it contributes to users receiving malware.