Google discloses vulnerability in Fortnite launcher that allowed possible malware installation
Epic Games has since fixed the exploit, but CEO Tim Sweeney calls Google disclosure "irresponsible"
Fortnite has skipped the Google Play store for its Android release, but its avoidance of the securities offered by Google Play potentially allowed for a major exploit to make its way into the launcher. On Friday, Google publicly disclosed a bug in the Fortnite launcher that potentially allowed for hackers to install malware onto Android devices.
The exploit, which has since been fixed with version 2.1.0 of the app, was essentially a weakness in the installer app for Fortnite that allowed for other programs already-downloaded onto the device to go through the launcher and install other programs without the knowledge of the user. For the vulnerability to cause a problem, the user would already have to have an app on their phone looking for said vulnerability, but if they did, malware could be installed and launched through the Fortnite app while the user assumed they were installing and launching Fortnite itself.
While the issue was fixed shortly after Google made the information public, Epic CEO Tim Sweeney responded in a comment made to Android Central regarding the company's publication of the issue:
"Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
"However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
"An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
"Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play."
It's worth noting that whether or not the exploit would have existed in a universe where Fortnite goes through Google Play, Google Play Protect is able to stop apps from being installed when issues such as these present themselves.
Epic Games told GamesIndustry.biz earlier this month that it is skipping the Google Play store specifically to avoid the 30% cut of revenue that Google takes from a game's sales.