Fortnite app allowed hackers to secretly install anything on Android phones

The discovery was made by Google's security team after Fornite maker decided to bypass the Google Play Store.

Millions of Fornite gamers may have allowed hackers to download malicious apps onto their phones without ever realising.

A serious flaw in the first Fortnite installer - an app that helps users download the game on their Android phones - allowed any app on a user's phone to silently install other apps.

The discovery was made by Google's security team after Fornite maker, Epic Games, decided to release its own installer as a way to bypass the Google Play Store.

The Google Play Store is the app store for Android phones, used on smartphone models from Samsung, Sony and Huawei.

It is considered a more secure way to download apps from the internet, which could contain viruses or malware.

But Fortnite, the widely popular cartoon-like online game where players compete in a "battle royale", isn't featured.

Instead, Epic Games decided to skip using the Google Play store to distribute Fornite so that it could avoid paying Google a 30pc cut of its game's revenue.

Google's security team first disclosed the vulnerability privately to Epic Games on August 15. Epic Games said it fixed the issue within hours of being informed.

Google found that the installer was vulnerable to what is known as a "man-in-the-disk" attack.

Fortnite downloads an APK, which is the package for Android apps, stores it locally and then launches it.

The installer, however, only checked that the name of the APK was right. If a file wascalled "com.epicgames.fortnite", it would launch it, regardless of whether it was fake or malicious.

This means hackers could intercept the request to download Fornite and download something else instead, such as spyware.

Ahead of its release on Android, cyber security company Sophos warned the decision to bypass the Google Play store could backfire.

"[It] risks undermining one of the simplest, most useful and easiest to remember pieces of security advice we can offer: stick to Google Play," it said.

NCC chief technology officer Ollie Whitehouse told the Telegraph: "It is not what we would recommend.

"There is a lot of effort put into securing these stores, and this is setting a precedent."