Few months back, researchers discovered that hackers can use NFC to install malware in your Android smartphones. Read on to know more…
Few months back, researchers discovered that hackers can use NFC to install malware in your Android smartphones. Smartphones running on Android 8 Oreo and higher come with a vulnerability that allows hackers to install malicious code on a smartphone using NFC technology.
The CVE-2019-2114 bug dwelt in the fact that Google whitelisted the NFC Beaming feature, which wasn’t meant to happen. According to Google, the Android Beam service was meant to transfer data from device to device and not install applications.
According to a report by ZDNet, hackers have determined a bug in smartphones running on Android 8.0 Oreo or newer versions of Google’s mobile operating system that enables them to install malware using the phone’s NFC, the feature that uses Android Beam to send data – such as images, videos, audio files and apps — from one Android smartphone to another using near field communication (NFC — hence the name) radio waves.
As a convention, when users share apps using their Android phone’s NFC feature they are shown a notification which asks them if they want the feature to install the app from an unknown source on their device. However, earlier this year it was discovered that phones running on Android Oreo or newer versions of Android OS would not show this notification. The report notes that instead, it would show a prompt that would allow users to install the app using a single tap.
Android’s security model deems any app installed from out its official Play Store as untrusted. If a user wants to install an app from outside – say an app he/she received using Bluetooth or in this case NFC – they will have to so using manually using their phone’s settings. The report notes that, until the company released Android Oreo, “Install from unknown sources” option was a system-wide setting, however, Android 8.0 changed to app based setting. This means that users will have to give permissions for specific apps to install them on their phones.
The security bug gave Android Beam or the apps installed via Android Beam the same level of trust as that received by apps installed from the Google Play Store, which means no security prompts at all.
Google has fixed the vulnerability with October 2019 Android patches and removed the Android Beam service from the OS whitelist of trusted sources. However, many millions of Android device users that have the NFC service and Android Beam service enabled are at risk, as a nearby attacker exploit the CVE-2019-2114 flaw to plant malware (malicious apps) on vulnerable phones.
if you haven’t updated your phone yet, you might want to do it now. Note that for a hacker to install a malware on your smartphone, they would have to be in a distance of about 10cm from your phone, which is not a generic scenario. To prevent this feature from being used to target you in future, you can turn the NFC feature and Android beam off on your smartphone and you are good to go.