back to article We're all sick of Fortnite, but the flaw found in its downloader is the latest way to attack Android

A newfound way to hack Android using a technique dubbed "Man-in-the-Disk" is central to the recent security flap about Fortnite on the mobile platform. Man-in-the-Disk can circumvent sandboxes and infect a smartphone or tablet using shared external storage through a seemingly harmless Android application. Sandboxing isolates …

  1. Anonymous Coward
    Anonymous Coward

    Epic Games is none too pleased that Google went public with the exposure of Fortnite to this class of vulnerability

    A sour grapes move by Google in response to Epic's snubbing of the Google Play Store (as reported in another recent El Reg article)?

    1. Anonymous Coward
      Anonymous Coward

      Not really, the world warned Epic that what they were doing was putting users security at risk, and that hundreds of thousands of kids that don't appreciate the value of security would be at risk by their move (which put profit above security). Epic didn't care, and carried on regardless.

      Google found the flaw, told epic, gave them 7 days to sort their shite out, monitored adoption rates of the patch and then went public in a "told you so" manner.

      All perfectly normal and no different to what Microsoft, Apple or any other company would have done, and all perfectly in compliance with ISO/IEC 29147:2014

      1. Anonymous Coward
        Anonymous Coward

        Oooh, it's Google's brand ambassador!

        Nothing to see here, it's just Google trying to protect the kids. That's why the Android update service is so comprehensive! Google care so much they'd never risk Android users security. (Except for the years when they were shipping that OS with no update mechanism, and a couple more years with it added in just for their own devices.)

        Because they care so much about the kids!

        1. Anonymous Coward
          Anonymous Coward

          Given how quickly game updates are disassembled to find new features and other changes, I'm siding with Google on this.

          "Nothing to see here, it's just Google trying to protect the kids."

          "Because they care so much about the kids!"

          * cough * straw man * cough *

        2. Anonymous Coward
          Anonymous Coward

          Stop being a kid. Everyone knows Android devices get security updates just fine, it's just the idiot press that still playing games and ignoring patch adoption rates on the SHIPPING OS versions of phones, and just use the lazy Google metric of major OS adoption rates to write lazy stories that are utterly false.

          My wife's Samsung A3 2016 just got he July 2018 patch to Android 7.1.... Not measured in any metric....

          1. Dan 55 Silver badge

            Everyone knows Android devices get security updates just fine

            As in the "this is fine" dog in a burning room?

            1. Anonymous Coward
              Anonymous Coward

              Nope, as in pretty much every major manufacturer is delivering security updates on anything that cost more than a couple of hundred quid, and isn't more than a couple of years old.

              That's the reality, but that doesn't sell shite-rags, so you have idiot writer than take 3 year old £50 Chinese phones and use that to sway their metric to make a story.

              Don't forget to add the users that think that crying in public because they didn't get a major OS release on their 2 year old budget handsets, and think crying about this in public will change the manufacturers's decision to ruin their device by slowing it down with something it was never designed to run...

              The reality is that most half decent, recent handsets get security updates just fine, and that unless your phone is less than 6 months old, you are better off NOT getting the shiny new Android version that was never designed to run on your handset.

              1. Dan 55 Silver badge
                FAIL

                Unless things have radically turned around in the last four months, your shilling is bullshit, AC.

                Here's a highlight:

                El Reg can vouch for this first-hand. One of our offices has an Android 7 Samsung Galaxy S8 handset that, despite being "up to date," can't fetch any security patches since August last year.

                An Android 7 Samsung Galaxy S8 obviously being "a 3 year old £50 Chinese phone" from a non-"major manufacturer".

                Now please go and try it on with an audience which doesn't know what a shitshow Android updating is because you're wasting your time here.

                1. Anonymous Coward
                  Anonymous Coward

                  'The Unreal Engine is the RyanAir of game engines'

                  @Def

                  Cryengine was my Ryanair... But hey Game engines are very tribal. So all I can say is, I've built games with UE4 & UDK. Whereas I struggled too much with CryEngine and dropped it. I enjoyed some time with Unity, but I could never get good looking results (although I hear that's changing).

                  Look, I'm not claiming Unreal is the best / easiest, its not. But if you invest time you get quality results. But you're from a different tribe so you'll always disagree... I'm guessing you're a Unity fan, as Lumberyard hasn't been around long and has anyone ever really fallen in love with Cryengine???

                  1. Def Silver badge

                    Re: 'The Unreal Engine is the RyanAir of game engines'

                    @AC

                    I wouldn't say I'm an anything fan these days. I tried using Unreal 3 back in the day, but that was just horrible. The last game I released was with Unity, but that was around six years ago now. Never tried CryEngine, but I have to admit I was always impressed with the way it looks.

                    Generally speaking though, I'm not talking about the results that can be achieved - all engines are pretty much the same in that regard. And from an artist/designer perspective, I doubt there's much in the editor experience either.

                    I'm talking about the very specific engineering quality of the Unreal Engine code. Partly from having had to listen to friends who are still in the games industry bitch and complain instead of getting on and drinking, and partly from my own experiences with UE3 (which was seriously shit in so many ways - and we had a source code licence, so I wasn't just limited to their script engine which as far as I could tell was written by a three legged, blind dog who had heard about language design from a wedding reception DJ he got chatting to in a queue in a 7-11 late one evening).

                    To give an example, this was a scripting language where something as basic as declaring and initialising a local variable couldn't be done in the same statement.

                2. Anonymous Coward
                  FAIL

                  Epic fail... (Galaxy S8)

                  You can bet money this is nothing to do with Android and everything to do with some screwed up American network subsidised phone that been abandoned by Verizon or sprint.

                  And rather than relying on what scummy "journalist" (who gets gets paid depending on how sensational his story is, and how many impressions and ad clicks it generates) tells you, how about using a well known thing called FACTS...

                  Galaxy S8 on Vodaphone:

                  https://www.sammobile.com/firmwares/galaxy-s8/SM-G950F/VOD/download/G950FXXU3CRGH/232230/

                  "United Kingdom (Vodafone). This firmware has version number PDA G950FXXU3CRGH and CSC G950FOVF3CRH1. The operating system of this firmware is Android 8.0.0 , with build date Wed, 25 Jul 2018 07:36:56 +0000. Security patch date is 2018-08-01"

                  Perhaps you want to go back further, a Galaxy s7 on o2

                  https://www.sammobile.com/firmwares/galaxy-s7/SM-G930F/O2U/download/G930FXXU2ERH1/232066/

                  "The operating system of this firmware is Android 8.0.0 , with build date Tue, 31 Jul 2018 08:51:48 +0000. Security patch date is 2018-08-01, "

                  Maybe even a S6

                  https://www.sammobile.com/firmwares/galaxy-s6/SM-G920F/O2U/download/G920FXXU6ERG1/232239/

                  The operating system of this firmware is Android 7.0 , with build date Tue, 10 Jul 2018 14:10:02 +0000. Security patch date is 2018-06-01,

                  Looking pretty silly right now guess...

                  1. Anonymous Coward
                    FAIL

                    Re: Epic fail... (Galaxy S6)

                    And to further embarrass all the clearly idiot cretins who believe everything a "journalist" writes. A network locked UK Galaxy s6 that was released on April 10 2015, yep over 3 and a half years ago, has got the June 2018 security patch...

                    network

                    How do it feel to get called out for being a FUDsponge???

                    I see the apple protection squad are downvoting facts that contradict the fake news they were fed... Way to go to make it even more hilarious....

                    1. BinkyTheMagicPaperclip Silver badge

                      Re: Epic fail... (Galaxy S6)

                      Oh, that's nice, you've cherry picked some examples without noting it doesn't apply to other phones.

                      Go and check out the patch level for the Blackberry Priv, it's ok, I'll wait.. Alternatively go and check that the S6 Edge was initially withdrawn from security patch support, but Samsung later backtracked.

                      Check out this from Google themselves :

                      https://www.android.com/intl/en_uk/enterprise/recommended/

                      The guaranteed three years of updates only applies for specified 'Enterprise' devices.

                      If you bought a computer for a few hundred quid, you'd expect to receive patches for much longer than three years, and to be able to update the OS. For some reason (the contract nature of phones) the general populace are brainwashed into thinking this is acceptable when it's a pocket computer that connects over a mobile network.

                      1. Anonymous Coward
                        Anonymous Coward

                        Re: Epic fail... (Galaxy S6)

                        "Oh, that's nice, you've cherry picked some examples"

                        Cherrypicked? I used the phone model that the ElReg clickbaiter claimed had been abandoned and then went back 2 further phone generations both of which show their latest versions of software to be within 90 days old. The oldest phone being released 3 and a half years ago.

                        I totally destroyed their clickbait claims with some factual information...

                        1. BinkyTheMagicPaperclip Silver badge

                          Re: Epic fail... (Galaxy S6)

                          As I noted above some of the Samsung phones were abandoned, but were later reinstated (for now), you can check this if you wish.

                          The real point is that there are a number of phones that have security support dropped after two years, and that Google themselves only specifically tout three years security updates as a feature for Enterprise certified phones.

                          This is somehow deemed as being 'good' - it isn't, it's below what would be expected as baseline performance for a mass market OS on a PC. Given that mobiles are frequently used to access sensitive information (confirming credit card purchases, banking/ebay/paypal/other site apps), as soon as security support is dropped they really should be treated as useful as a brick.

                          ALL phones should have security patches provided for a lifetime comparable with a PC based OS. In a sane world, all the mobile phone apps should also continue to be patched, and not forced to update to a new, bloated version that makes a handset unusable. This does go against the current mobile development ethos of 'continuous improvement' (continually broken), but that's because the current model is flawed.

                          Old phone of five years age should still be able to Facebook/whatever app with a new phone, with some common features, both with no security issues and acceptable performance.

                          If you look at Vista, one of the less loved versions of Windows, it was 'fully supported' for five years, and security patched for nine. For the last couple of years of its life cycle, just like Windows 7 now, whilst technically 'supported', various vendors were less than keen to update products to support it. Nevertheless that's a damn sight better than Android.

                          If people continue to accept this, the situation is likely to worsen, and this model is slowly reaching the PC. Don't roll over, or you'll find your PC is soon even less your own than you realised. Not that I'm a fan of Stallman, but he was basically right, as is Theo de Raadt (OpenBSD). If you don't control your own hardware and software, someone else controls it for you.

                3. Anonymous Coward
                  Anonymous Coward

                  Interesting the El Reg "my phone doesn't have any updates" shilling bullshit doesn't mention a phone model number, or what network operator it's on, as then we really could show that it's utterly untrue...

                  How convenient...

              2. Trilkhai

                >pretty much every major manufacturer is delivering security updates on anything that cost more than a couple of hundred quid, and isn't more than a couple of years old

                Including all active phones when describing patch adoption rates is being accurate; limiting the results to only the expensive recent phones is what would qualify as "swaying the metric."

                A person shouldn't need to spend a few hundred dollars every other year to have a secure phone, especially given that major-brand (Moto, LG, etc.) budget phones have been powerful enough for a while now to more than adequately serve an average adult for 2-3 years.

      2. Destroy All Monsters Silver badge
        Trollface

        Makkaveev discovered that not all app developers, not even Google employees or certain smartphone manufacturers, follow the advice. Makkaveev demonstrated exploitation of the vulnerability in Google Translate, Yandex.Translate, Google Voice Typing, and Google Text-to-Speech, as well as system applications by LG and the Xiaomi browser.

        Google researchers recently discovered that the same Man-in-the-Disk attack can be applied to the Android version of the popular game Fortnite.

        And so they acted immediately.

        Apart from that I don't even see the particular complexity to sandboxing filesystem access? Is it just that Android doesn't do finegraining here?

        1. Anonymous Coward
          Anonymous Coward

          re: * cough * straw man * cough *

          "the world warned Epic that what they were doing was putting users security at risk, and that hundreds of thousands of kids that don't appreciate the value of security would be at risk by their move (which put profit above security). Epic didn't care, and carried on regardless."

          But if I mention security I'm "straw man"ing? That's not what that phrase means.

      3. Anonymous Coward
        Anonymous Coward

        'the world warned Epic that what they were doing was putting users security at risk'

        Epic's security it not first class as their expertise is game tech. But to be clear, Google doesn't give a flying fuck about anything except Google. That's why we have this: "Want to Avoid Malware on Your Android Phone? Try the F-Droid App Store | WIRED"

        https://www.wired.com/story/android-users-to-avoid-malware-ditch-googles-app-store/

        1. Def Silver badge

          Re: 'the world warned Epic that what they were doing was putting users security at risk'

          Epic's security it not first class as their expertise is game tech.

          That made me laugh. If you had first hand experience with their game "tech", you wouldn't consider it first class. The Unreal Engine is the Ryan Air of game engines - it may get you where you want to go, but you'll feel dirty, bruised, and abused when you get there.

      4. RyokuMas Silver badge
        Boffin

        A bit of context...

        "Google found the flaw, told epic, gave them 7 days to sort their ..."

        To put a bit of context on this: in December 2008, a group of researchers found a collision attack on MD5 hashing that undermined SSL certificates in use at the time - in this case, a one week responsible disclosure period was applied.

        So I guess either Google rate this threat as highly as the compromise of every web browser out there, or this is just sour grapes... and it's not like Google haven't got form for pulling the trigger on disclosure when it suits them as opposed to when is responsible...

  2. adam payne Silver badge

    To download the game, users need to install a helper app first. This, in turn, is supposed to download the game files.

    But by using the Man-in-the-Disk attack, a crook can trick the helper into installing a malicious application.

    Bypass the Play Store and this is what can happen.

    1. sabroni Silver badge

      re: Bypass the Play Store and this is what can happen.

      Nice game you've got here, very profitable. It'd be a shame if anything nasty happened to it.......

      Of course we can give you protection! And for only 30% of your sale price!

      1. Chands

        Re: re: Bypass the Play Store and this is what can happen.

        Yup. industry standard. Epic pay Apple 30%.

        Point being what ?

        1. Prst. V.Jeltz Silver badge

          Re: re: Bypass the Play Store and this is what can happen.

          What do apple do exactly for 30% of the gazillions fornite is earning?

          or is it 30% of the free-to-play base app?

        2. sabroni Silver badge

          Re: Point being what ?

          Apple's walled garden has better walls so they had to pay up. Google allow anyone to side load.

          Apple users are used to laying out lots of cash. Google users are used to getting things for free.

          (Industry standard? How many app stores did you look at to get that figure?)

        3. DavCrav Silver badge

          Re: re: Bypass the Play Store and this is what can happen.

          "Yup. industry standard. Epic pay Apple 30%.

          Point being what ?"

          The Mafia and the Yardies take 30%, therefore it's fine?

      2. Anonymous Coward
        Anonymous Coward

        Re: re: Bypass the Play Store and this is what can happen.

        Are you referring to Apple here???

        The only reason they didn't do this on iOS, is you need to full jailbreak, rather than Android disabling of device security

    2. LDS Silver badge

      You mean Google Translate bypass the Play Store?

    3. Anonymous Coward
      Anonymous Coward

      'Bypass the Play Store and this is what can happen'

      Honestly who writes this Google shill sht... - Google PR Bots? - DON'T Bypass the 'Play Store' and this is what can happen:

      --------

      "Want to Avoid Malware on Your Android Phone?"

      https://www.wired.com/story/android-users-to-avoid-malware-ditch-googles-app-store/

      1. adam payne Silver badge

        Re: 'Bypass the Play Store and this is what can happen'

        I'm currently not a Google PR bot. I neither like nor dislike Google.

        I'm simply saying when you have to use a custom installer there is always going to be a risk.

        1. Anonymous Coward
          Anonymous Coward

          'I'm simply saying when you have to use a custom installer there is always going to be a risk'

          This is a weakness of Android more than Epic and - crucially:

          "not even Google employees or certain smartphone manufacturers, follow the advice. Makkaveev demonstrated exploitation of the vulnerability in Google Translate, Yandex.Translate, Google Voice Typing, Google Text2Speech"

        2. Dan 55 Silver badge

          Re: 'Bypass the Play Store and this is what can happen'

          Same as when you use Play Store:

          Researchers have found a batch of over 60 malware-carrying apps in Google's Play Store designed to rob mobile users or show them pornography, all with a kid-friendly theme.

          The malware, dubbed AdultSwine by security shop Check Point, was found in apps like "Drawing Lessons Lego Star Wars", "Fidget spinner for Minecraft" and "Spinner Toy for Slither", along with a large number of Android games. The apps were downloaded between three and seven million times before the infection was caught.

          1. Anonymous Coward
            Anonymous Coward

            Re: 'Bypass the Play Store and this is what can happen'

            The sad thing is, you actually believe that, despite very little of it being true...

            May I suggest you disconnect from the internet, you clearly have trouble separating news from fake news..

            1. Prst. V.Jeltz Silver badge

              Re: 'Bypass the Play Store and this is what can happen'

              re "The sad thing is, you actually believe that"

              Which of the 17 possible posts are you replying to?

            2. Dan 55 Silver badge

              Re: 'Bypass the Play Store and this is what can happen'

              The sad thing is, you actually believe that, despite very little of it being true...

              May I suggest you disconnect from the internet, you clearly have trouble separating news from fake news..

              Ah, malware in apps on Play Store is now fake news? I can see you've taken the time to rebut the points raised that article.

      2. DryBones

        Re: 'Bypass the Play Store and this is what can happen'

        I see remarkable parallels here between using standard and tested crypto libraries versus people rolling their own proprietary ones. The latter inevitably have gaping issues. Also the issue with people not implementing the standard and tested crypto libraries properly. This is why there is example code that for those should be followed assiduously.

        Epic rolled their own, and it bit them. Are we going to start defending those that roll their own crypto as "stickin it to The Man", or pointing out they're DIYing what they really should have a professional do?

        1. Claptrap314 Bronze badge

          Re: 'Bypass the Play Store and this is what can happen'

          No, the problem is that Google promulgated an unsafe-by-default system. There is absolutely 0 reason that applications should be able to read (let along write) data for other applications by default. The fact that this is not the case demonstrates just how much Google cares about the end users.

        2. DavCrav Silver badge

          Re: 'Bypass the Play Store and this is what can happen'

          "Epic rolled their own, and it bit them."

          Bollocks. The same mouth took a bite out of Google Translate. So exactly who didn't screw this one up?

      3. Anonymous Coward
        Anonymous Coward

        Re: 'Bypass the Play Store and this is what can happen'

        That is really bad advice. Ditching the goggle play store (which requires you to disable your phones security settings) is the easiest way to get malware.

        Any site suggesting you do this really should not be writing technical "news", they are frankly dangerous. If you get caught with malware due to their advice, I would guess you would have a pretty good legal case against them, just like you would any other commercial entity that suggested you disable your antivirus

        1. Prst. V.Jeltz Silver badge

          Re: 'Bypass the Play Store and this is what can happen'

          Imagine if Microsoft had made windows so that every software company had to pay them 30%, or they could advise their customers to disable AV.

        2. Dan 55 Silver badge

          Re: 'Bypass the Play Store and this is what can happen'

          That is really bad advice. Ditching the goggle play store (which requires you to disable your phones security settings) is the easiest way to get malware.

          Any site suggesting you do this really should not be writing technical "news", they are frankly dangerous. If you get caught with malware due to their advice, I would guess you would have a pretty good legal case against them, just like you would any other commercial entity that suggested you disable your antivirus

          According to the reply arrow you are replying to the AC above who posted the link to Wired. Wired explained how to install F-Droid, which is considerably more trustworthy than the Play Store. They allow open source software only and have humans vetting each app, recompiling the source from scratch. F-Droid is my first install on any new Android phone.

        3. Anonymous Coward
          Anonymous Coward

          Re: 'Bypass the Play Store and this is what can happen'

          Listen AC, if you are not a google PR bot, and are really human, let me explain something to you.

          This is a very technical site with very technical users. They are not the kind of users who need have half-baked psuedo protection rackets forced on them 'for their protection'.

          I am sure your comments are valid on a site for technophobes, but your attitude comes off as someone with no experience of the real world, and a firm drinker of the google Kool-Aid.

          Oh, and google is synonymous with searching. Your creators will lose their trademark soon, have a nice day. :D

    4. DeKrow

      Same thing can, and does, happen with apps downloaded from the store, including apps authored by Google itself. Which was one of the points of this whole article.

      Epic's avoidance of the app store is not the issue here except for the argument, counter to yours, that being on the app store implies security.

    5. John Brown (no body) Silver badge

      "Bypass the Play Store and this is what can happen."

      Did you RTFM? Isn't the whole point of the story that even Googles own apps are susceptible, even from the Play Store?

  3. onefang Silver badge

    Well, that escalated quickly.

    1. Anonymous Coward
      Anonymous Coward

      Yes, it's a Gallic Village out there and no messing.

    2. Anonymous Coward
      Anonymous Coward

      Yep, sorry, I posted some facts that shot the idiots down...

      Facts around here are few and far between, as it takes over a minute to find that data....

  4. David 164

    I'm just filling up with sympathy for epic here, so much sympathy I don't think I will be able to contain it, lol.

  5. Anonymous Coward
    Anonymous Coward

    'Bypass the Play Store and this is what can happen'

    "Android apps available on Google Play are often 'saturated by spyware'"

    https://www.news.com.au/technology/online/social/why-google-not-facebook-should-be-your-main-concern/news-story/73429806a3d62fce6394bda1b3567d03

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019