Malware vulnerability in Android Fortnite launcher solved, but not before Google discloses the issue

Epic CEO Tim Sweeney calls Google's disclosure of the issue 'irresponsible.'

Last week, a vulnerability in the app launcher for the Android version of Fortnite was revealed by Google. The issue has since been patched, but not before Google went public with the nature of the potential dangers. According to Android Central, it was what’s called a “man-in-the-disk” attack. It functions by allowing an app--in this case the Fortnite installer--to be accessed by other programs already on the device. In this way, new malicious software may be placed onto the device via the installer.

In a statement to Android Central, Epic Games CEO Tim Sweeney expressed frustration that Google was so quick to make public the nature of the vulnerability:

"Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered. However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.

"An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play."

Epic made news recently that Fortnite is skipping the Google Play store, but it’s unknown if that decision might be related to the attack. In forgoing the store, Epic is also forgoing the securities offered by Google Play. It’s worth noting, however, that there is a history of malware making it through the store’s defenses.

Unfortunately, this is part of what people were concerned about when Epic announced plans to bypass Google and go straight to the player.

“Reasonably, there are some concerns about how exactly this will work, and whether it opens up Android users to any potential security or data privacy risks since running third-party software outside the Play Store involves removing certain protections on Android devices,” the Verge reported earlier this month.

Regardless, Fortnite's already huge audience is only bound to get bigger through the Android platform. The battle royale game has been nothing short of a money printing machine for Epic, and it’s doubtful that the malware attack will do much to staunch that.

Sam has been freelancing since 2016, and has bylines at IGN, PCGamesN, PCGamer, and Unwinnable. When not writing about games, he is most likely taking care of his two dogs or pretending to know a lot about artisan coffee. Get in touch with Sam by emailing him at sdesatoff@gmail.com, or follow him on Twitter.