Once again, here is a heads-up for Android users, but not so serious (maybe). Reportedly, a vulnerability affecting the NFC beaming in Android devices can allow cyber attacks. While Google has already rolled out a patch for it, not all Android users are safe yet.
Android NFC Beaming Vulnerability Discovered
Reportedly, a researcher Y. Shafranovich earlier this year discovered a major glitch in the latest Android devices. He found that the vulnerability in the NFC beaming feature in Android 8 and later devices.
Specifically, he noticed that the recent Android OS versions do not prompt users to allow NFC to install external apps. Instead, the users, during a file transfer via NFC beaming, simply shows an app installation alert without any security prompt.
This is in contrast to the earlier Android versions where the system shows a notification to the users during NFC file transfers. The prompt clearly seeks permission from the users to allow NFC to install apps from unknown sources. This is in accordance with the general Android settings in older devices (up to Android 7) where a single option manages all apps regarding installation from unknown sources.
Whereas, in the case of Android 8 and later versions, a dedicated permission control comes with every app.
While that sounds harmless, the problem lies in how Google handles this permission for apps by default. The new Android versions simply whitelist all apps signed by Google and allow them to install apps from external sources.
Hence, the glitch exposes the recent Android versions, 8, 8.1, and 9, to security risks. A potential attacker can exploit this vulnerability to send malicious applications to a target device. As elaborated by the researcher,
On a standard Android OS device, the NFC service is one such system application that has the permission to install other applications. This means, that an Android phone that has NFC and Android Beam enabled, then touching a malicious phone or a malicious NFC payment terminal to the device may allow malware to be installed by bypassing the “install unknown apps” prompt.
Technical details are available in an advisory.
Patch Out Already – Update Now!
After finding the vulnerability in January 2019, the researcher reported the matter to Google. After working on the fix for months, Google finally released the patch with the October 2019 Android updates. Whereas, it has classified the bug (CVE-2019-2114) as a high severity vulnerability.
Therefore the users with devices running on Android 8.0 and later versions must ensure updating their devices to install the fix.
Though, the vulnerability isn’t so dangerous as it requires the attacker to be physically present in the vicinity of the target device. Nonetheless, it still poses a potential threat to the users, particularly those who frequently use NFC.
Therefore, ideal protection against such attacks is to entirely disallow all apps, including NFC to install apps from external sources. For this, users have to manually adjust the settings for every app.
Alternatively, those who need NFC for making payments and other such operations can consider disabling Android Beam to stay safe.
Let us know your thoughts in the comments.