'If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. Consequently, the fake APK with a matching package name can be silently installed,' Google researcher said. This API checks that the APK being installed has the package name. 'On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. Google developers discovered that any app on your phone with the WRITE_EXTERNAL_STORAGE permission could intercept the installation and replace installation file with another malicious APK, including one with full permissions granted like access to your SMS, call history, GPS, or even camera-all without your knowledge. In a nutshell, man-in-the-disk attacks allow malicious apps to manipulate the data of other apps held in the unprotected external storage before they read it, resulting in the installation of undesired apps instead of the legitimate update.įor those unaware, to install Fortnite on your Android phone, you first need to install a 'helper' app (installer) that downloads Fortnite to your phone's storage and installs it on your phone.
In a proof-of-concept video published by Google, researchers demonstrated that their attack takes advantage of a newly introduced ' man-in-the-disk' (MitD) vector (detailed in our previous article).