Security

We're all sick of Fortnite, but the flaw found in its downloader is the latest way to attack Android

Man-in-the-Disk technique able to add malicious files to a device's external storage


A newfound way to hack Android using a technique dubbed "Man-in-the-Disk" is central to the recent security flap about Fortnite on the mobile platform.

Man-in-the-Disk can circumvent sandboxes and infect a smartphone or tablet using shared external storage through a seemingly harmless Android application.

Sandboxing isolates applications from each other. The idea is that even if a malicious application found its way on to an Android device, it wouldn't be able to steal data associated with other apps.

Check Point researcher Slava Makkaveev explained, during a presentation at the DEF CON hacking jamboree in Las Vegas, how an application with no particularly dangerous or suspicious permissions can escape the sandbox.

The technique – named after the well-known Man-in-the-Middle type of attack – works by abusing calls to read or write to external storage, a routine function of mobile applications.

External storage is also often used for temporarily storing data downloads from the internet. An application may use the area to store supplementary modules that it installs to expand its functionality, like additional content or updates.

Ah, um, let's see. Yup... Fortnite CEO is still mad at Google for revealing security hole early

READ MORE

The problem is that any application with read/write access to the external storage can gain access to the files and modify them, adding something malicious. Google has already warned app developers to be wary of malfeasance in this area.

Makkaveev discovered that not all app developers, not even Google employees or certain smartphone manufacturers, follow the advice. Makkaveev demonstrated exploitation of the vulnerability in Google Translate, Yandex.Translate, Google Voice Typing, and Google Text-to-Speech, as well as system applications by LG and the Xiaomi browser.

He warned that vulnerable apps are likely numerous, an observation evidenced by events over the last few days.

Google researchers recently discovered that the same Man-in-the-Disk attack can be applied to the Android version of the popular game Fortnite. To download the game, users need to install a helper app first. This, in turn, is supposed to download the game files.

But by using the Man-in-the-Disk attack, a crook can trick the helper into installing a malicious application.

Fortnite's developer, Epic Games, is aware of this vulnerability and has already issued a new version of the installer. Players should be using version 2.1.0 to stay safe. If you have Fortnite already installed, remove it then reinstall from scratch using the patched version of the software.

Epic Games is none too pleased that Google went public with the exposure of Fortnite to this class of vulnerability, as previously reported. Kaspersky Lab CTO Nikita Shvetsov noted on Monday that the flaw stemmed from the same "Man-in-the-Disk" attack some Google apps were revealed as being vulnerable to earlier this month.

Kaspersky Lab's explanation of the Man-in-the-Disk vulnerability – and how consumers can minimise their exposure to the problem – can be found here. ®

Send us news
51 Comments

Google debuts first Android 15 developer preview without a single mention of AI

Expect it to be stable in June, ready for release sometime after July

Euro shoppers popping more and more premium phones in the basket

Apple ousts Samsung as the people's choice in Q4, and the words 'refresh' and 'cycle' are whispered for 2024

Google sends Gemini AI back to engineering to adjust its White balance

Big Tech keeps poisoning the well without facing any consequences for its folly

It's crazy but it's true: Apple rejected Bing for wrong answers about Annie Lennox

Cupertino only wanted to be with Google for search – despite the prospect of buying Bing outright

Reddit signs AI training deal with Google – and why OpenAI's Altman could be the winner

IPO docs drop showing just who has a stake in the forum

Google debuts Gemini 1.5 Pro model in challenge to rivals

OpenAI meanwhile teases experimental text-to-vid system Sora

Google Maps leads German tourists to week-long survival saga in Australian swamp

Pair had to dodge croc on trek back to civilization

Web archive user's $14k BigQuery bill shock after running queries on 'free' dataset

Researcher makes case for default limits after arriving via Python library

Cybercriminals are stealing iOS users' face scans to break into mobile banking accounts

Deepfake-enabled attacks against Android and iPhone users are netting criminals serious cash

Google open sources file-identifying Magika AI for malware hunters and others

Cool, but it's 2024 – needs more hype, hand wringing, and flashy staged demos to be proper ML

Google co-founder Brin named a defendant in wrongful death complaint

Lawsuit accuses contractor and co-defendants of 'pacify and delay' tactics

Zoom stomps critical privilege escalation bug plus 6 other flaws

All desktop and mobile apps vulnerable to at least one of the vulnerabilities