Google found that the Fortnite installer could load malicious apps on an Android phone
Back on August 15th, Google needed to get in touch with Epic Games, the developer of Fortnite. A serious flaw was discovered with the Fortnite installer for Android that required a patch to be sent out stat. How serious an issue was this? Consider that with the Fortnite installer loaded on an Android handset, a malicioius app could be installed on the device at the direction of a hacker.
Google even provided Epic with a video that showed Fortnite installed on a Samsung handset using the Fortnite installer. When the game was opened, a malicious app would launch instead of the game. According to the Google Issue Tracker, the installer allow these fake APK's to be installed on an Android phone as long as they carried the package name of com.epicgames.fortnite.
On August 17th, Epic pushed out version 2.1 of the Fortnite installer, which fixed the vulnerability by changing the APK storage directory from external to internal. Epic requested a 90 day period before disclosing what had happened behind the scenes. It requested this delay in order to allow all users to update to the new version of the installer. However, Google lifted all restrictions after seven days, which is the company's standard disclosure practice.
"On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed...If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure."-Google Issue Tracker
As we previously told you, in order to save the 30% cut of revenue that it would have to pay Google to have Fortnite listed in the Play Store, Epic has decided to have Android users sideload the app using the installer. Seems to us that Google might have earned the opportunity to list the game after all.
source: Google
Things that are NOT allowed: