Google rolled out a patch on a bug tracked as CVE-2019-2114, that could infect the nearby phones through NFC Beaming.
Don’t your share apps among your friends? Have you ever thought of a hidden malware shared along with the app?
In January this year, Security Researcher Y. Shafranovich discovered that files sent through NFC beaming do not display any security warnings to the users of Android 8 and above.
NFC Beaming works through an internal Android OS service known as Android Beam. NFC is designed to share data like images, videos and files between two nearby Android devices using Near-Field Communication radiowaves an alternative for Bluetooth or WiFi.
What usually happens?
Generally, when a person sends an app via NFC are saved on disk, and the user gets a prompt on their device asking for permission to install the app from an unknown sender.
What has transpired?
Currently, instead of seeing a notification, it will permit the user to install the app using a single tap without any warning, and the app could bundle malicious malware. The users might misinterpret that the message comes from the play store and install it, thinking that it is an update.
This is one of the significant issues for Android. Android devices are not allowed to install applications from “unknown sources” – since anything installed outside the Google Play Store is unreliable and unverified.
Till Android 8 ‘Install from unknown sources’ was a system-level setting in which permission was needed for individual apps to install unknown APK files. Later, from Android 8 onwards, Google redesigned this into an app-based setting.
Affected versions and fix released
Affected versions of Android are version 8 (Oreo) and higher. The vendor assigned CVE-2019-2114 to track this issue and released a fix in the October 2019 security bulletin by removing the NFC Beaming feature from its list of whitelisted apps.
Users can turn off the NFC and Android features and are encouraged to update their Android smartphones.
The good news is that the NFC feature works when you hold two devices very close (approx 4cm or 1.5 inches). So if an attacker needs to plant malware, he must bring his phone close to your device, and you can be aware of it.
You may be interested in reading: Click2Mail Suffers Data Breach