Google last month patched an Android bug that could allow attackers to transfer a malicious application to a nearby NFC-enabled device via the Android Beam feature, bypassing security mechanisms in the process.
The vulnerability was discovered in early 2019 by the research team at Nightwatch Cybersecurity, which late last month published a company blog post detailing his findings. Media organizations only began picking up on this story in early November.
Designated CVE-2019-2114, the vulnerability was found to affect phones operating on Android version 8 and above that have both NFC and the Android Beam feature enabled.
Normally, Android phones do not allow device owners to install an unknown program without first granting permission on an app-by-app basis. However, Nightwatch found that any system apps signed by Google were automatically whitelisted and thus excluded from this user-approval security measure.
“On a standard Android OS device, the NFC service is one such system application that has the permission to install other applications,” said the Nightwatch blog post, authored by researcher Yakov Shafranovich. “This means that an Android phone that has NFC and Android Beam enabled, then touching a malicious phone or a malicious NFC payment terminal to the device may allow malware to be installed by bypassing the ‘install unknown apps’ prompt.”
An attack scenario exploiting this vulnerability is quite simple: Download a malicious APK file on the sender phone, then opt to share with another device in proximity via the Android Beam feature. The device on the receiving end will a “Beam completed” notification. If the user taps the file, the device will jump to the install prompt without ever going through the “Install unknown apps” check.
Users have been urged to apply Android’s October patches and ensure that the “install unknown apps” permission in settings indicates that the NFC Service is not allowed to automatically install apps.