Android Exploit exploit Featured Fortnite Full XDA News samsung Tech vulnerability XDA Analysis XDA Android XDA Editorial XDA Feature

Fortnite Installer could be abused to silently install apps on Galaxy phones

Fortnite Mobile on Android - Can your smartphone or tablet run it?

The launch of Fortnite Cellular on Android hasn’t been too nice, particularly since most of the supported units actually wrestle to play the sport with acceptable body charges. The sport launched as a Samsung Galaxy unique for less than three days. The Fortnite Installer was first out there on Samsung Galaxy Apps earlier than Epic Video games allowed non-Samsung gamers to obtain and install the complete recreation from the Fortnite Installer obtained on Epic’s web site. Shortly after the Fortnite Installer turned obtainable, Epic Video games quietly pushed an replace to the Installer. Now we all know why: They patched a Man-in-the-Disk exploit that made it attainable for a malicious app to silently install any app they needed on Samsung Galaxy smartphones. As a result of there was some confusion about how this flaw works, we’ll attempt to clear issues up. First, we’d like to clarify the fundamentals of app set up on Android.


App Set up Stream on Android Smartphones

Silent installations from first-party sources

To silently install an APK on Android with out prompting the consumer for permission, you want to have a system-level software with the INSTALL_PACKAGES permission granted. Examples of purposes with this permission embrace the Google Play Retailer on most Android units. First-party software shops on units from Samsung, Huawei, and different system makers may additionally have the INSTALL_PACKAGES permission granted. If you would like to install any app from the Google Play Retailer, it’ll deal with the obtain and routinely install the app for you with out additional intervention after you press “Install.” (The Google Play Retailer even mechanically grants sure runtime permissions such because the one for overlays, whereas apps put in from outdoors of the Play Retailer want to ask the consumer to grant these permissions.)

In the event you’re curious whether or not an app on your system has the INSTALL_PACKAGES permission, you will discover out by way of an ADB command.

adb shell
dumpsys package deal package deal.identify.right here | grep “INSTALL_PACKAGES”

As an example, the Google Play Retailer’s package deal identify is “com.android.merchandising“. One other app with this permission is Shell with the package deal identify com.android.shell. For these of you who use rootless Substratum by way of the Andromeda plug-in on Android Oreo, the Andromeda script run out of your PC retains the shell course of operating so Substratum can use it to install packages (the theme overlays) after which use the OverlayManager instructions to allow the overlays.

Aspect-loading apps from third-party sources

For those who try to obtain and install an app from outdoors of a first-party app retailer, you’ll first want to allow unknown set up sources. This lets the Package deal Supervisor Service inside the Android framework (which has the INSTALL_PACKAGES permission) know that you simply acknowledge the dangers of side-loading apps from third-party sources. On pre-Android Oreo units, there’s a single toggle in Safety settings to permit set up from unknown sources. On Android Oreo and later variations, an app calling for the set up of an APK should declare the REQUEST_INSTALL_PACKAGES permission and the consumer should whitelist that app so it could actually request app installs by way of the Package deal Supervisor Service. Since REQUEST_INSTALL_PACKAGES is an “appop” permission, that makes it one of many permissions that may be managed from inside Settings’ permission supervisor or by way of the cmd appops shell command.

As soon as set up from unknown sources is enabled both globally or particularly for a requesting software, then the consumer can side-load an app. Nevertheless, the Package deal Supervisor doesn’t permit the app to be put in silently. Quite, it’ll immediate the consumer whether or not they need to install the app and record any delicate permissions that it requests to be granted on install. If the consumer accepts, then the app is put in with the requested non-runtime permissions. OEMs may also customise the Package deal Supervisor: For example, the Package deal Supervisor within the Chinese language model of Huawei’s EMUI 5 has a function to scan the APK to determine if it’s protected and management what permissions are granted earlier than set up. I’ve noticed this on the Honor Notice eight operating EMUI 5 imported from China, although I’m positive different Chinese language Huawei and Honor units even have this function of their Package deal Managers.

In any case, that about sums up the distinction between putting in an app from an accepted, first-party supply and third-party supply. When you try to install an app from the Play Retailer or equal app retailer with the INSTALL_PACKAGES permission, it’ll silently deal with the install all on its personal with out additional consumer intervention after you begin the obtain. However in the event you obtain an APK from XDA Labs, APKMirror, or different third-party sources, the usual package deal installer will deal with the install and immediate the consumer to install that package deal. So the place does the Fortnite Installer are available and why is that this all related?

A Flaw in Fortnite’s Set up Course of

Earlier as we speak, Google disclosed a vulnerability they found with the primary model of the Fortnite Installer. The vulnerability was demonstrated on the Exynos Samsung Galaxy S8+ (dream2lte) but in addition affected all different Samsung Expertise units together with the Samsung Galaxy Observe 9 and Samsung Galaxy Tab S4. The vulnerability permits an already-installed malicious software to benefit from the best way the Fortnite Installer tries to install Fortnite for the primary time on Samsung Galaxy units. Through the use of a personal API in Samsung Galaxy Apps, the Fortnite Installer bypasses the necessity to immediate the consumer by way of the usual package deal installer to install Fortnite. That’s as a result of Galaxy Apps has the permission it wants to deal with the set up silently. There wouldn’t be something mistaken with this silent set up course of if the app that’s being silently put in is the actual Fortnite. However due to the place the Fortnite Installer saved the downloaded APK file for the Fortnite recreation, it was simply exploitable.

The AndroidManifest from Samsung Galaxy Apps exhibits that Galaxy Apps has the permission to install different apps on its personal, bypassing the usual package deal installer.

In accordance to the report on the Concern Tracker, the Fortnite Installer would obtain the Fortnite Cellular APK to /sdcard/Android/knowledge/com.epicgames.portal/information/downloads/. That is thought-about “external storage” on Android as /sdcard is a symbolic hyperlink to /knowledge/media/CURRENT_USER, and /sdcard was the identify used within the early days of Android when app knowledge was saved on bodily SD playing cards. These days, app knowledge is often saved in app-specific directories in /knowledge/knowledge/, and every app solely has entry to the information in its personal /knowledge/knowledge listing. Thus, if the Fortnite Installer saved the downloaded Fortnite APK to its personal /knowledge/knowledge/ listing, it will be unattainable for any app with out learn permissions (ie. with out root entry) to know what’s occurring on this listing.

Nevertheless, because the Fortnite Installer saved the downloaded APK in exterior storage, it could be monitored and overwritten by any app with exterior storage learn permissions. Usually, apps write to /knowledge/media, the “virtual SD card,” once they retailer information that want to be accessed by the consumer by way of MTP or by different apps. For an app to learn or write to /knowledge/media, they want to have the READ_EXTERNAL_STORAGE and WRITE_EXTERNAL_STORAGE permissions respectively (each are underneath the identical permission group and are therefore granted collectively). Earlier than Android four.four KitKat, most apps requested these permissions upon set up as a result of in any other case, they wouldn’t be in a position to learn or write to the information of their package deal’s designated exterior storage listing in /knowledge/media/…/Android/. With the introduction of FUSE to emulate FAT-on-sdcard fashion listing permissions in Android four.four KitKat, apps not want any permissions to entry information of their designated listing in exterior storage. Accessing information in some other listing would nonetheless want the exterior storage permissions, which is what a malicious app can do to hijack the Fortnite set up course of.

As proven within the video under, a malicious app with the READ_EXTERNAL_STORAGE permission screens the Fortnite Installer’s obtain listing in exterior storage. When it detects that the obtain is full and the fingerprint is verified, it replaces the downloaded Fortnite package deal with its personal malicious package deal thanks to the WRITE_EXTERNAL_STORAGE permission. Nevertheless, due to the best way that Samsung Galaxy Apps verifies the Fortnite APK earlier than set up (…it simply checks if the package deal identify is “com.epicgames.fortnite”), it’s potential to have Galaxy Apps silently install the malicious package deal within the background with no consumer intervention or notification—as long as the malicious package deal’s identify was “com.epicgames.fortnite.” Even worse, if this malicious package deal focused SDK degree 22 or decrease (Android 5.1 Lollipop and earlier), it might mechanically be granted all permissions outlined in its manifest as a result of runtime permissions are solely obligatory for apps concentrating on SDK degree 23 and above (Android 6.zero Marshmallow and later).

However what would occur on non-Samsung units? Properly, as a result of Samsung Galaxy Apps isn’t put in on non-Samsung units, the malicious APK gained’t be silently put in within the background. Fortnite Installer is a third-party app and therefore wants to first immediate the consumer to allow set up from unknown sources after which ship a request to the package deal installer to install the pretend Fortnite APK. It might then rely on the consumer to faucet “Install” when requested if they need to install the app or not. That is problematic no matter the truth that non-Samsung phones aren’t in peril of a malicious app being silently put in within the background. The typical consumer would be none the wiser if a malicious APK crafted with “Fortnite” in its identify and the Fortnite app icon is introduced to them for set up.

Nonetheless, there’s a transparent distinction between exploiting this flaw on Samsung Galaxy smartphones and non-Samsung smartphones. The previous is a Man-in-the-Disk assault that additionally takes benefit of a hidden system API to silently install any app within the background, with any permissions, and without having to trick the consumer into considering they’re putting in a pretend Fortnite APK. The latter is a normal Man-in-the-Disk assault that may additionally occur to different apps that save APKs or different necessary knowledge in exterior storage directories, as proven by the current CheckPoint submit. It simply so occurs that, thanks to the hidden Galaxy Apps API, this Man-in-the-Disk assault is extra harmful on Samsung Galaxy units.

Fixing the Flaw

To Epic Video games’ credit score, they responded in a short time to the report on the Google Difficulty Tracker and rolled out an replace to model 2.1.zero as quick as they could. The repair was easy—simply save the downloaded Fortnite APK to the Fortnite Installer’s inner storage listing in /knowledge/knowledge quite than its exterior storage listing in /knowledge/media. The Epic Video games’ engineer requested that the flaw be disclosed after 90 days, although Google declined and made the difficulty public 7 days after a repair was rolled out. Epic Video games’ CEO Tim Sweeney was not proud of the fast turnaround time from the preliminary safety report to its disclosure. He provided the next assertion to Android Central.

Epic genuinely appreciated Google’s effort to carry out an in-depth safety audit of Fortnite instantly following our launch on Android, and share the outcomes with Epic so we could speedily challenge an replace to repair the flaw they found.

Nevertheless, it was irresponsible of Google to publicly disclose the technical particulars of the flaw so shortly, whereas many installations had not but been up to date and have been nonetheless weak.

An Epic safety engineer, at my urging, requested Google delay public disclosure for the standard 90 days to permit time for the replace to be extra extensively put in. Google refused. You possibly can learn all of it at https://issuetracker.google.com/issues/112630336

Google’s safety evaluation efforts are appreciated and profit the Android platform, nevertheless an organization as highly effective as Google ought to apply extra accountable disclosure timing than this, and never endanger customers in the middle of its counter-PR efforts towards Epic’s distribution of Fortnite outdoors of Google Play.

I can’t converse for what number of present Samsung Galaxy units nonetheless have the older Fortnite Installer. Perhaps Epic Video games ought to inform these customers to replace their install by sending a message in Fortnite Cellular. Firebase’s nifty new In-App Messaging function could do the trick. Though, it’s in all probability not an enormous deal anyway as a result of, if a consumer with the older installer already downloaded the professional Fortnite, then any MITD assault gained’t work as a result of the malicious APK can’t be put in on prime of the prevailing Fortnite set up. In any case, the invention of this flaw so early after Fortnite’s launch on Android—when there’s nonetheless a lot controversy about Epic Video games’ choice to ditch Google Play—definitely helps the argument that Epic Video games’ choice was careless. Whether or not that was Google’s intention behind publicizing this situation so shortly, we’ll by no means know.

Need extra posts like this delivered to your inbox? Enter your e-mail to be subscribed to our publication.

!perform(f,b,e,v,n,t,s)if(f.fbq)return;n=f.fbq=perform()n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments);if(!f._fbq)f._fbq=n;
n.push=n;n.loaded=!zero;n.model=’2.zero’;n.queue=[];t=b.createElement(e);t.async=!zero;
t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)(window,
doc,’script’,’https://connect.facebook.net/en_US/fbevents.js’);
fbq(‘init’, ‘403489180002579’); // Insert your pixel ID right here.
fbq(‘monitor’, ‘PageView_XDA’);