Two weeks ago, Google researchers found a very serious security hole in Fortnite's Android installer. The flaw — which Epic Games has patched — would have let hackers manipulate the Fortnite installer to load other apps, leaving users’ phones wide open to attack.
Google publicly disclosed the vulnerability a week after Epic Games fixed it, but that prompted Epic Games CEO Tim Sweeney to accuse Google of acting in bad faith.
If you've already got Fortnite installed on Android, you're probably safe, as the installer app should have updated itself over the past 10 days. But just to be safe, make sure that the Fortnite installer app on your phone is at version 2.1.0.
Epic Games — developer of the extremely popular online battle royale-style game previously available for PlayStation 4, Switch, Xbox One, macOS, iOS, and Windows — decided earlier this month not to release the game in the Google Play app store so that Epic Games could avoid paying the 30-percent cut of sales, as every Android (and Apple) developer that goes through the official app store does.
Epic’s decision — which forced users to change critical security settings in their Android phones that open the way for malicious activities — prompted sharp criticism from security experts all over the internet.
The critics appear to have been right. Google’s security experts found out that the Fortnite Android installer for Samsung's Galaxy phones includes code that makes possible a man-in-the-disk attack, This allows evil apps with low privileges to get control over the Fortnite installer in order to install other malicious apps with higher permissions. (It is not clear whether the installer app for non-Samsung phones was affected.)
Google reported the flaw to Epic Games on the morning of Aug. 15, and the game developers had a fix (version 2.1.0 of the installer) out the door within 36 hours. Fortnite installer apps already on user phones should update to the patched version automatically.
Yet Epic Games strongly criticized Google for publishing information about the installer flaw on Aug. 24, only eight days after the patch was available. The company claims that Google did this in bad faith after Epic specifically asked them not to disclose the bug.
"We asked Google to hold the disclosure until the update was more widely installed," Sweeney tweeted Saturday (Aug. 25). "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."
However, Google’s own security policies establish that security bug reports will be made public after 90 days of the disclosure or after "a patch has been made broadly available." The 90-day windows is to give developers time to fix problems, not to give users three months to install patches. Security experts generally agree that vulnerability patches should be installed as soon as they become available.