ZDNet reported that a recently exposed Android vulnerability allowed hackers to exploit near-field contact (NFC) on devices to spread implanted malware to victims. The CVE-2019-2114 vulnerability report states that the problem stems from a little-known Android OS feature called NFC Beaming. All devices running Android 8 Oreo and above will be affected.
IT IS REPORTED THAT NFC BROADCASTWORKS WORK THROUGH THE ANDROID BEAM SERVICE INSIDE THE DEVICE. (Screenshot via ZDNet)
The service allows Android devices to use Near Field Communication (NFC) technology instead of Wi-Fi or Bluetooth to send images, files, videos, and even apps to another device.
Typically, APK installation packages transmitted over NFC are stored on the device and a notification is displayed on the screen asking the user if they are allowed to install applications from unknown sources.
In January, however, a security researcher named Y. Shafranovich found that sending an app over NFC broadcasts on Android 8 (Oreo) or later does not show this prompt.
Instead, the notification allows the user to install the application without issuing any security warnings.
Despite the absence of a hint that doesn’t sound that important, it is a major issue in the Android security model.
Fortunately, Google fixed this NFC Beaming vulnerability affecting Android devices in October 2019.
The definition of “unknown source”, especially anything installed outside the official Play Store, is considered untrustworthy and unverified by default.
If the user needs a side-borne external app, he or she must go to the Settings menu and manually enable Allow the app to be installed from an unknown source.
Before Android 8 Oreo, there was no problem with this setting. Starting with Android 8 Oreo, however, Google redesigned the mechanism to an app-based setting.
In the CVE-2019-2114 vulnerability, Android Beam was whitelisted and granted the same trust rights as the official Play Store.
Google says the Android Beam service has never been a way to install apps, but just a way to transfer data between devices.
Even so, the company kicked Android Beam out of the list of trusted sources in the mobile operating system in the October 2019 Android security patch.
For millions of Android users who are still at risk, we would recommend that you upgrade your phone’s security patches as soon as possible, or try to turn off NFC and Android Beam when not in use.