Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Patched bug allows beaming of malicious apps to NFC-enabled Android devices

Google last month patched an Android bug that could allow attackers to transfer a malicious application to a nearby NFC-enabled device via the Android Beam feature, bypassing security mechanisms in the process.

The vulnerability was discovered in early 2019 by the research team at Nightwatch Cybersecurity, which late last month published a company blog post detailing his findings. Media organizations only began picking up on this story in early November.

Designated CVE-2019-2114, the vulnerability was found to affect phones operating on Android version 8 and above that have both NFC and the Android Beam feature enabled.

Normally, Android phones do not allow device owners to install an unknown program without first granting permission on an app-by-app basis. However, Nightwatch found that any system apps signed by Google were automatically whitelisted and thus excluded from this user-approval security measure.

"On a standard Android OS device, the NFC service is one such system application that has the permission to install other applications," said the Nightwatch blog post, authored by researcher Yakov Shafranovich. "This means that an Android phone that has NFC and Android Beam enabled, then touching a malicious phone or a malicious NFC payment terminal to the device may allow malware to be installed by bypassing the 'install unknown apps' prompt."

An attack scenario exploiting this vulnerability is quite simple: Download a malicious APK file on the sender phone, then opt to share with another device in proximity via the Android Beam feature. The device on the receiving end will a "Beam completed" notification. If the user taps the file, the device will jump to the install prompt without ever going through the "Install unknown apps" check.

Users have been urged to apply Android's October patches and ensure that the "install unknown apps" permission in settings indicates that the NFC Service is not allowed to automatically install apps.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.