Fortnite Hacker Hole Found by Google, Epic Complains

Two weeks ago, Google researchers found a very serious security hole in Fortnite's Android installer. The flaw — which Epic Games has patched — would have let hackers manipulate the Fortnite installer to load other apps, leaving users’ phones wide open to attack.

Credit: Epic Games

(Image credit: Epic Games)

Google publicly disclosed the vulnerability a week after Epic Games fixed it, but that prompted Epic Games CEO Tim Sweeney to accuse Google of acting in bad faith.

If you've already got Fortnite installed on Android, you're probably safe, as the installer app should have updated itself over the past 10 days. But just to be safe, make sure that the Fortnite installer app on your phone is at version 2.1.0.

MORE: The One Mobile Game You Need to Play Now (No, It's Not Fortnite)

Epic Games — developer of the extremely popular online battle royale-style game previously available for PlayStation 4, Switch, Xbox One, macOS, iOS, and Windows — decided  earlier this month not to release the game in the Google Play app store so that Epic Games could avoid paying the 30-percent cut of sales, as every Android (and Apple) developer that goes through the official app store does.

Epic’s decision — which forced users to change critical security settings in their Android phones that open the way for malicious activities — prompted sharp criticism from security experts all over the internet.

The critics appear to have been right. Google’s security experts found out that the Fortnite Android installer for Samsung's Galaxy phones includes code that makes possible a man-in-the-disk attack, This allows evil apps with low privileges to get control over the Fortnite installer in order to install other malicious apps with higher permissions. (It is not clear whether the installer app for non-Samsung phones was affected.)

Google reported the flaw to Epic Games on the morning of Aug. 15, and the game developers had a fix (version 2.1.0 of the installer) out the door within 36 hours. Fortnite installer apps already on user phones should update to the patched version automatically.

Yet Epic Games strongly criticized Google for publishing information about the installer flaw on Aug. 24, only eight days after the patch was available. The company claims that Google did this in bad faith after Epic specifically asked them not to disclose the bug.

"We asked Google to hold the disclosure until the update was more widely installed," Sweeney tweeted Saturday (Aug. 25). "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."

However, Google’s own security policies establish that security bug reports will be made public after 90 days of the disclosure or after "a patch has been made broadly available." The 90-day windows is to give developers time to fix problems, not to give users three months to install patches. Security experts generally agree that vulnerability patches should be installed as soon as they become available.

Jesus Diaz

Jesus Diaz founded the new Sploid for Gawker Media after seven years working at Gizmodo, where he helmed the lost-in-a-bar iPhone 4 story and wrote old angry man rants, among other things. He's a creative director, screenwriter, and producer at The Magic Sauce, and currently writes for Fast Company and Tom's Guide.

Latest in Online Security
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
Latest in News
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
iPhone 17 Pro render
iPhone 17 Pro — 7 biggest rumored upgrades
CAD renderings of the Google Pixel 10 Pro XL
Pixel 10 leak could be good news for all Android phones
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
Lewis Hamilton of Great Britain and Scuderia Ferrari looks on during Sprint Qualifying ahead of the F1 Grand Prix of China at Shanghai International Circuit in Shanghai, China, on March 21, 2025. (Photo by Song Haiyuan/Paddocker/NurPhoto via Getty Images)
How to watch Chinese Grand Prix 2025 online – stream F1 without cable, qualifying highlights