Epic: Google set up task force over Fortnite and exaggerated vulnerability

Google set up a task force to figure out how the company should deal with how Epic Games was distributing Fortnite to Android users. This game was not published on Google Play, but was available for download on Epic’s website.

The task force was established in August 2018 and met daily, writes the Financial Times, among others, on the basis of internal Google documents released by Epic Games. It is not clear how many people this task force consisted of and how long it was active. With the task force, Google wanted to investigate what steps it could take against distributing Fortnite outside the Play store, the internal documents say.

That task force would have found a vulnerability in the Fortnite installation app, among other things. Epic is presumably referring to the “man-in-the-disk” vulnerability, which was disclosed in August 2018, where an attacker could have installed malware via the Fortnite installation file.

Normally, when finding such a vulnerability, Google gives a developer 90 days to fix the vulnerability. Only then does Google normally start publishing. Bloomberg reports on the basis of the same Google documents that Google did not wait ninety, but nine days with the Fortnite problem. At that time, the company already went to ‘friendly’ media with the information.

Epic says that Google ignored user safety and that Google wanted to deter developers from offering apps outside the Play store. According to Epic, the documents would also state that Google’s own employees would find the warnings about the Fortnite leak “exaggerated”. The head of the Android security team is said to have said the messages to users were “inappropriately serious”.

Epic states that although Google profiles Android as an “open platform”, the platform would not be open in terms of apps. “When a developer makes a serious effort to distribute a popular application outside of Google Play, executives within Google take immediate steps to maintain Google’s monopoly on distributing Android apps,” Epic Games writes.

Google said in a response that Epic released Fortnite on Android with a vulnerability that was dangerous for user data. “Security and safety are our top priorities, so naturally we took steps to warn our users. We will challenge Epic’s claims in court.”

The Epic documents are part of the lawsuit between Epic and Google. This one revolves around the payment system that Epic added to Fortnite. In April 2020, Epic released Fortnite in Play, in August the company added the payment system. Google removed Fortnite from Play because it allowed Epic to circumvent Google’s own payment system and the commission; Epic subsequently sued Google again. A judge will consider the lawsuit in October next year.