Google found that the vulnerability allowed hackers to download and install absolutely any app in the background, without seeking the consent or permission of the user. To top that, these app would have full access granted, without the knowledge of the user.
This vulnerability was disclosed by Google to Epic Games on 15 August, and has since released the information publicly following confirmation from Epic that the vulnerability was patched.
What is Fortnite Installer app?
For the uninitiated, the Fortnite Installer is a simple app that you download and install, which then subsequently downloads the full Fortnite game directly from Epic. Basically this is because when you download Fortnite you don't actually download the whole game, you download the Fortnite Installer first.
What exactly happens because of the vulnerability?
Now, Google's security team found out that the Fortnite Installer is very susceptible to a hijack, and so everytime you request to download Fortnite from Epic, there is a chance that it would download any other random app instead.
Google calls it "man-in-the-disk" attack. Android Central defines this as a scenario “when an app on your phone looks for requests to download something from the internet and intercepts that request to download something else instead, unbeknownst to the original downloading app. This is possible purely because the Fortnite Installer was designed improperly — the Fortnite Installer has no idea that it just facilitated the malware download, and tapping ‘launch’ even launches the malware.”
Fortunately, Epic acted quick on this and it says it fixed the issue in less than 48 hours after being notified. Epic says that it has deployed the fix to every Fortnite Installer, which had been installed previously.
Which means, it is safe for new users to download the Fortnite Installer, and for the ones who already had it, you need to update the Installer to the version 2.1.0, which you can check for by launching the Fortnite Installer and going to its settings.