Security

We're all sick of Fortnite, but the flaw found in its downloader is the latest way to attack Android

Man-in-the-Disk technique able to add malicious files to a device's external storage

51 Got Tips?

A newfound way to hack Android using a technique dubbed "Man-in-the-Disk" is central to the recent security flap about Fortnite on the mobile platform.

Man-in-the-Disk can circumvent sandboxes and infect a smartphone or tablet using shared external storage through a seemingly harmless Android application.

Sandboxing isolates applications from each other. The idea is that even if a malicious application found its way on to an Android device, it wouldn't be able to steal data associated with other apps.

Check Point researcher Slava Makkaveev explained, during a presentation at the DEF CON hacking jamboree in Las Vegas, how an application with no particularly dangerous or suspicious permissions can escape the sandbox.

The technique – named after the well-known Man-in-the-Middle type of attack – works by abusing calls to read or write to external storage, a routine function of mobile applications.

External storage is also often used for temporarily storing data downloads from the internet. An application may use the area to store supplementary modules that it installs to expand its functionality, like additional content or updates.

Ah, um, let's see. Yup... Fortnite CEO is still mad at Google for revealing security hole early

READ MORE

The problem is that any application with read/write access to the external storage can gain access to the files and modify them, adding something malicious. Google has already warned app developers to be wary of malfeasance in this area.

Makkaveev discovered that not all app developers, not even Google employees or certain smartphone manufacturers, follow the advice. Makkaveev demonstrated exploitation of the vulnerability in Google Translate, Yandex.Translate, Google Voice Typing, and Google Text-to-Speech, as well as system applications by LG and the Xiaomi browser.

He warned that vulnerable apps are likely numerous, an observation evidenced by events over the last few days.

Google researchers recently discovered that the same Man-in-the-Disk attack can be applied to the Android version of the popular game Fortnite. To download the game, users need to install a helper app first. This, in turn, is supposed to download the game files.

But by using the Man-in-the-Disk attack, a crook can trick the helper into installing a malicious application.

Fortnite's developer, Epic Games, is aware of this vulnerability and has already issued a new version of the installer. Players should be using version 2.1.0 to stay safe. If you have Fortnite already installed, remove it then reinstall from scratch using the patched version of the software.

Epic Games is none too pleased that Google went public with the exposure of Fortnite to this class of vulnerability, as previously reported. Kaspersky Lab CTO Nikita Shvetsov noted on Monday that the flaw stemmed from the same "Man-in-the-Disk" attack some Google apps were revealed as being vulnerable to earlier this month.

Kaspersky Lab's explanation of the Man-in-the-Disk vulnerability – and how consumers can minimise their exposure to the problem – can be found here. ®

Sign up to our NewsletterGet IT in your inbox daily

51 Comments

Keep Reading

Commit to Android codebase suggests Google may strong-arm phone makers into using 'seamless' partitioned updates

Such a move could standardise deployment of new versions, rather than it being at the whim of OEMs

My eyes thank you, Google: Android to get dark mode scheduling in future update

The feature was originally ditched over quality control issues

A lot has changed since Android 11 was but a twinkle in Google's eye – so mobile OS has been delayed a month

'Extra time for you to test,' you lucky, lucky developers

Paranoid Android reboots itself with new Android 10 builds

It's baaaaaack: Devs polishing off Quartz

Stop tracking me, Google: Austrian citizen files GDPR legal complaint over Android Advertising ID

Claims consent was neither informed, nor specific, nor free – but Google says it cannot identify a user from the ID

Ever wondered how Google-less Android might look? Step right this Huawei: Mate 30 Pro arrives on British shores

Ignores 'unwanted' presses from the fat-fingered too, apparently

Google exiles 600 apps from Play Store for 'disruptive advertising' amid push to clean up Android souk's image

Purge is the latest in a series of similar store scourings

Google updates Android Studio: IDE like multi-display support and a split-view designer

Hands On Microsoft Surface Duo in mind?

I/O, I/O, new Android soon on show: What's coming up at Google's dev conference

Analysis Cryptic tweets and likely deets as late May dates revealed

Android 11 Beta 1 leaks on to handful of handsets days after official release postponed

Weird icon shapes, functionality tweaks, and notifications shaken up

Tech Resources

A Step-by-Step Guide to Shifting Left and Embracing a True DevSecOps Mentality

There is a major shift happening right now. It’s not just affecting security teams, but IT operations and development teams, too.

Unlocking the Cloud-Native Data Layer

Being able to exceed customer expectations is essential to a successful business.

Navigating the CTI Noise

We all want better threat intelligence, but it’s not easy to build a CTI program and deliver it considering all the moving parts, people, processes, and technology. Sure you need to gather the data, but how do you separate intel and priorities from the noise? How do you turn this into actionable information that improves the security of your business?

SANS Institute: Cloud Security Survey Results

How do you close visibility gaps, integrate conflicting datasets from different providers and adjust your current incident response strategies to respond to cloud-specific threats?