On Friday, Google disclosed a serious security flaw in the Android version of Epic Games’ famous online game Fortnite. According to Google, Fortnite’s Android installer had a vulnerability that could allow malicious apps to be installed on devices.
Google’s decision to probe Fortnite for Android was aimed at protecting the tens of millions of users that are using the mobile game—at least that’s what Google says. But a look at the weeks-long dispute shows that while the security of gamers hangs in the balance, the priorities of Epic Games and Google lie elsewhere.
Epic’s selfish move to circumvent Google’s cash cow
Epic rolled out the Android version of its smash hit at the beginning of August. But contrary to the recommended process, the company decided to distribute Fortnite for Android through its own website as opposed to publishing it on Google Play Store.
To get Fortnite Android, users must first install the Fortnite Installer, which they can get through the Galaxy App Store (for Samsung devices) or by registering through Epic’s website (for all other Android devices). Once installed, the Fortnite Installer downloads the latest version of Fortnite from Epic’s servers and installs it on your smartphone.
Epic decided to circumvent Play Store to bypass the 30 percent cut Google takes from the revenue made through any app published on its app store. 30 percent is a lot, especially for a game that brought in $318 million in May alone. This is the amount that all apps are paying to Google for the privilege of being able to use the Play Store. (Note: Apple charges a similar amount on its App Store, but there’s no way for Epic to distribute its app outside of the App Store.)
But going it alone is not a viable option for everyone. Most companies and indie developers need the Google Play Store to gain access to the billions of users that have it installed on their phones. But Fortnite, which already has a 125 million users on other platforms, doesn’t need Play Store’s exposure to reach its audience.
But distributing the app outside of the Play Store means users must compromise their security to install Fortnite on their devices. By default, Android only allows users to install apps from the Play Store, where Google thoroughly reviews every application for security failures. This doesn’t mean that there aren’t malicious apps on Google Play, but at least it’s much more reliable than unknown sources.
To be able to install Fortnite on their Android, users must change the setting on their phone to be able to sideload apps from other app stores and unknown sources. But this means that any other app that comes from other potentially malicious sources can find their way into their phones. Given the popularity of Fortnite, this is a risk that many users are willing to take. For instance, if a user receives a phishing email that contains them to a phony website that contains a malware-infected version of Fortnite, their phone won’t protect them if they install it.
Considering that a large number of the game’s players are children, there are many ways the installation process can be compromised to install malicious apps on users devices. Also, since in-app payments are very popular in Fortnite, cybercriminals are more motivated to target its users.
Users can disable the option after installing Fortnite, but they’ll have to re-enable it every time there’s an update. History proves that the average user prefers convenience over security.
Google takes revenge in a way that endangers users
Even though Epic didn’t submit Fortnite for publication in Play Store, Google probed the game for any possible vulnerabilities to drive a point. And to its delight, it found what it was looking for.
According to Google’s Issue Tracker platform, Google communicated a serious security flaw to Epic Games on August 15. According to the Google engineer that filed the flaw, a malicious app can compromise the Fortnite Installer’s download-and-install process to download a malware-embedded app on the device that gets full access to the user’s camera, location, microphone, SMS, storage and telephone.
The engineer who reported the flaw also posted a video which shows how the exploit works and an inauthentic version of the game is installed on the device.
Of course, the exploit will only work if a malicious app is already present on the device to intercept the download request and redirect it to the malicious source. But you’ve already increased the chances that malicious apps find their way on your device when you’ve changed your phone’s settings to accept installers from unknown sources.
Epic’s infosec team confirmed the flaw thanked Google’s engineer for their discovery, and fixed the flaw within the next 48 hours. Then they requested that Google waits 90 days before it discloses the discovery. This period is meant to give Epic enough time to make sure all devices have been updated and aren’t vulnerable to the exploit.
Google’s response came seven days later, on August 24: “now [that] the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google’s standard disclosure practices.”
A Google spokesperson told Android Central: “User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer.”
But its quick disclosure could have perfectly been a revenge against Epic Games. To be clear, few companies have the independent reach of Epic Games to be able to circumvent the Play Store, but Google’s quick disclosure is an implicit threat against companies that think of replicating Epic’s practice in the future.
Epic’s CEO Tim Sweeny called Google’s quick disclosure “irresponsible,” especially since many installations had not yet been updated and were still vulnerable. Sweeny also accused Google of endangering users “in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
Users are the real losers in the struggle between the giants
As two companies that are already flush with cash, you would expect both Google and Epic Games to show better judgment.
Epic Games is right in its feeling that Google is ripping off its developers by imposing the 30-percent levy on their in-app revenues. It’s a sentiment that many developers share. But Epic’s decision to bypass Google Play and maximize its profits at the expense of the security of its users was a poor judgement.
Likewise, Google’s retaliation to disclose Fortnite’s vulnerability in such as short timespan was equally poor, because again it came at the expense of users who still hadn’t updated their installer app.
But as both companies are in a tug of war over their share of the game’s revenue, the one thing that seems to lose its meaning is the security of the users who will be affected by their decisions.
The entire episode reminds me of a quote from one of my favorite novels: “Whether the bear beats the wolf or the wolf beats the bear, the rabbit always loses.”