Google Security Researchers discovered a Man-in-the-Disk (MitD) which allows other applications to Hijack Fortnite app’s installation process and install other malicious applications with root level permissions. The Fortnite Game Developer Epic Games have released patches for the vulnerability. Please Refer to the Man In The Disk Article for more information on how the attack works What is a MitD Attack? In layman’s terms, the MitD attacks are possible when Android apps store data in External Storage mediums rather than the provided highly secure internal storage space. The attacker can potentially tamper with the application data as it is shared by all the applications. The Fortnite app is vulnerable to this attack since the actual app in the play store does not contain the game but just the installer. Once the app is installed by the installer using the External Storage, users can play the game. “Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is finished and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will continue to install the substituted (fake) APK,” a Google researcher wrote in a bug report recently made public…

https://latesthackingnews.com/2018/08/28/android-application-fortnite-vulnerable-to-man-in-the-disk-attack/

Leave a Reply