Smartphones running Android 8.0 (Oreo) or above are impacted by a bug, tracked as CVE-2019-2114, that allows hackers to plant malware on nearby devices via NFC beaming discreetly.
However, Google recently released a patch to address this vulnerability.
For those unaware, NFC (Near Field Communication) beaming works via an internal Android OS service known as Android Beam. Android Beam allows data to be transferred between two devices via NFC radio waves and also allows the rapid short-range exchange of web bookmarks, contact info, directions, YouTube videos, and other data.
Normally, when apps (APK files) are transferred via NFC beaming, they are stored on disk and a notification is displayed on the screen. The prompt asks the device owner for permission to allow the NFC service to install an app from an unknown source.
In January this year, security researcher Y. Shafranovich discovered that APK files sent via NFC beaming on Android 8 (Oreo) or later versions would not display any security notification to the users. Instead, the notification would allow the user to install the app from unknown source with just one tap, without asking for any explicit security permission.
Usually, Google displays a security warning when you install apps from unknown sources, as any app installed from outside the official Play Store is considered untrusted and unverified. However, certain services like Google Chrome and Dropbox Android app receive the same level of trust as the official Play Store app, and can be downloaded without being blocked.
The CVE-2019-2114 bug dwelt in the fact that Google whitelisted the NFC Beaming feature, which wasn’t meant to happen. According to Google, the Android Beam service was meant to transfer data from device to device and not install applications.
Google has fixed the vulnerability with October 2019 Android patches and removed the Android Beam service from the OS whitelist of trusted sources.
However, many millions of Android device users that have the NFC service and Android Beam service enabled are at risk, as a nearby attacker exploit the CVE-2019-2114 flaw to plant malware (malicious apps) on vulnerable phones.
“In Android 8 (Oreo) a new feature was introduced that requires users to opt-in to the “Install unknown apps” permission on a app by app basis. However, it appears that any system application that is signed by Google will be automatically whitelisted and would not prompt the user for this permission. On a standard Android OS device, the NFC service is one such system application that has the permission to install other applications.” reads the analysis published by NightWatchCybersecurity “This means, that an Android phone that has NFC and Android Beam enabled, then touching a malicious phone or a malicious NFC payment terminal to the device may allow malware to be installed by bypassing the “install unknown apps” prompt.”
In order for the bug to work on a NFC enabled Android device, the attacker has to be at a distance of 4 cm (1.5 inches) or lesser, which may not always be possible.
As a precautionary measure, we suggest you to turn off the NFC and Android Beam features on your smartphone. Additionally, we request you to update your Android smartphone to receive the October 2019 security updates.