A Man-in-the-Disk attack can occur when an Android app stores on the mobile device’ external storage, that is shared by all apps. A malicious app could tamper with files stored on the external storage.
In this case, the Fortnite app installer stored the install file on external storage, and then runs that install file. Another app already installed can observe that, replace the file with its own, and cause any code to run.
Epic Games has released a fix.
Read more about it here.