Tim Sweeney, the CEO of Epic Games, has accused Google of scoring “cheap PR points” after the latter publicly announced that the installation software of the popular game Fortnite could be hijacked by hackers to install malware.
The Fortnite mobile game has garnered a huge response from fans from across the globe, raking in over $1 billion in profits since it launched in October last year. The game can be played on iOS devices, PS4, Xbox One, Nintendo Switch, Macs and PCs, and is free to play.
However, in order to play Fortnite, Android device users need to install a APK file from the Epic Games portal instead of downloading the game on the Google Play Store. This is because Epic Games decided not to keep its app on the Play Store as Google’s terms of service required the company to share 30 percent of in-game fees with it.
Epic Games did not have the luxury of doing such a thing with Apple as iOS devices do not permit the installation of APK files or apps from any source other than the official App Store. As a result, unlike Android users, iOS device users can download the game directly from the official App Store instead of downloading it from Epic Games portal.
Google discovers a critical bug in Fortnite APK
Earlier this month, security teams at Google discovered that Fortnite APK, that could be downloaded by the Fortnite installer into a device’s external storage, contained a flaw that allowed a hacker to substitute the APK immediately with a malware after a download was completed and the fingerprint was verified.
“On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed.
“If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure,” it said.
Google added that Android device users could avoid this vulnerability by using a private internal storage directory rather than external storage. It also said that since the bug was subject to a 90-day disclosure deadline, a detailed bug report would be made public after the expiry of the disclosure deadline.
Following Google’s report, representatives from Epic Games acknowledged it, confirmed the presence of the bug, and released a patch on 17th August to change the default APK storage directory from external to internal storage.
“This patch changes the default APK storage directory from external to internal storage, which should prevent MITD attacks during the install flow. The patched launcher is version 2.1.0, and all existing installs should upgrade in place,” they added.
At the same time, the representatives requested Google not to disclose the issue to the public before the 90-day deadline expired so that Fortnite players on Android could patch their devices in time. However, Google denied the request on 24th August, stating that since the patched version of Fortnite Installer was available for seven days, it would unrestrict the issue in line with Google’s standard disclosure practices.
Epic Games lashes out
This prompted Epic Games’ CEO Tim Sweeney to publicly protest Google’s decision to disclose the issue long before the 90-day deadline expired.
“Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google’s rapid public release of technical details.
“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” he tweeted on the 25th.
To be sure, Sweeney isn’t the first. Back in 2015, and then in 2017, Microsoft twice protested Google’s decision to make vulnerabilities public before patches were released.
In late 2015, Google published details of a Windows zero-day flaw after giving Microsoft a week’s notice. In response, Microsoft said it believed in coordinated vulnerability disclosure and that the disclosure put customers at potential risk.
In March 2017, Google’s Project Zero team disclosed a vulnerability in Edge and Internet Explorer to the public, 90 days after it reported the same to Microsoft. In response, Microsoft said it was having “an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk”.
Epic Games put users at risk
Even though Sweeney may have a point that the hurried disclosure would put many Fortnite users at risk, it is also true that in order to play the game, Android device users will have to disable an essential security feature that disallows the installation of files from third-party platforms. It is possible that many Android device owners may forget to enable the feature again after disabling it, and this would put their devices at risk of malware intrusion.
According to security researcher Graham Cluley, even though Google may have acted inappropriately by making the vulnerability public so soon, it was primarily Epic Games’ fault that it chose not to place its app on the Google Play Store and secondly, did not keep its APK bug-free, thereby placing users at risk.
“It was Epic Games which decided not to distribute its software in the (safer) Google Play store against the advice of security experts. It was Epic Games which failed to properly quality control one of the world’s most popular video games and allow its vulnerable code to be installed on tens of millions of devices.
“If Google hadn’t found the security hole there is a chance that a malicious hacker would have done, and potentially could have put a large number of Android users at risk because of Epic Games’s utter failure to do its job properly,” he said.