Android bug (already fixed) allows to install Malware via NFC
The possibility is remote, but the risk is still to be taken into consideration: if the security update is not yet available, it is advisable to disable NFC and Android Beam from Oreo onwards.
During the month of October, Google released a security patch to eliminate an Android bug that allowed it to spread and install malware through a little known feature of the operating system, called Android Beam and, which uses NFC technology.
As reported by ZDnet, Android Beam, an internal service of the operating system, allows the device to send data and content (documents, images, files, videos and even apps) to another nearby device using precisely the NFC technology, as an alternative to the more known methods that rely on WiFi and Bluetooth.
Normally the apps (.apk files) sent via NFC beaming are stored in the local storage of the device: the user is shown on the screen a notification asking if you want to allow the NFC service to install an app from an untrusted source.
Last January, a security researcher discovered that starting with Android 8 (Oreo) and later versions, the notification simply asks if you want to install the app without any additional security warning.
The bug, classified as CVE-2019-2114, lies in the fact that the Android Beam app was included in the whitelist of applications deemed ” trusted ” : in other words, it had the same level of trust as the Google Play Store.
Google explained that this should not have happened, also because the Android Beam service was never designed as a way to install applications, but a simple tool for transferring files from device to device. Patches released in October removed Android Beam from the whitelist of trusted sources.
Considering the widespread lack of interest in keeping your device updated, especially among users less attentive to the theme of security or in general in the world of technology, and adding to this the questionable roll-out system of Android updates, including those of security, that are left to the individual manufacturer of the specific smartphone model.
It is likely to assume that millions of devices are still vulnerable: those in possession of an Android smartphone with active NFC technology and enabled Android Beam service run the risk of absently installing malware on their own phone sent by an attacker nearby.
It is good to remember that NFC connections are activated only when two devices are placed at a distance of at least 4 centimeters: this means that an attacker should place his phone very close to that of the victim, which is not always possible. This is likely in particularly crowded places, or for example: in public transport during rush hour.
The advice, for those who cannot yet get hold of the security updates of the month of October 2019, is to disable NFC and Android Beam service, especially if they do not actually need it.