Android bug lets hackers plant malware via NFC beaming

Android NFC
Image: Jonas Leupe

Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming.

NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even apps, to another nearby device using NFC (Near-Field Communication) radio waves, as an alternative to WiFi or Bluetooth.

Typically, apps (APK files) sent via NFC beaming are stored on disk and a notification is shown on screen. The notification asks the device owner if he wants to allow the NFC service to install an app from an unknown source.

But, in January this year, a security researcher named Y. Shafranovich discovered that apps sent via NFC beaming on Android 8 (Oreo) or later versions would not show this prompt. Instead, the notification would allow the user to install the app with one tap, without any security warning.

While the lack of one prompt sounds unimportant, this is a major issue in Android’s security model. Android devices aren’t allowed to install apps from “unknown sources” — as anything installed from outside the official Play Store is considered untrusted and unverified.

If users want to install an app from outside the Play Store, they have to visit the “Install apps from unknown sources” section of their Android OS and enable the feature.

Until Android 8, this “Install from unknown sources” option was a system-wide setting, the same for all apps. But, starting with Android 8, Google redesigned this mechanism into an app-based setting.

In modern Android versions, users can visit the “Install unknown apps” section in Android’s security settings, and allow specific apps to install other apps. For example, in the image below, the Chrome and Dropbox Android apps are allowed to install apps, similar to the Play Store app, without being blocked.

android-install-sources.png

android-install-sources.png

Image: ZDNet

The CVE-2019-2114 bug resided in the fact that the Android Beam app was also whitelisted, receiving the same level of trust as the official Play Store app.

Google said this wasn’t meant to happen, as the Android Beam service was never meant as a way to install applications, but merely as a way to transfer data from device to device.

The October 2019 Android patches removed the Android Beam service from the OS whitelist of trusted sources.

However, many millions of users remain at risk. If users have the NFC service and the Android Beam service enabled, a nearby attacker could plant malware (malicious apps) on their phones.

Since there’s no prompt for an install from an unknown source, tapping the notification starts the malicious app’s installation. There’s a danger that many users might misinterpret the message as coming from the Play Store, and install the app, thinking it’s an update.

How to protect yourself

There are good news and bad news. The bad news is that the NFC feature is enabled by default on mostly all newly-sold devices. Many Android smartphone owners may not even be aware that NFC is enabled even right now.

The good news is that NFC connections are initiated only when two devices are put near each other at a distance of 4 cm (1.5 inches) or smaller. This means an attacker needs to get his phone really close to a victim’s, something that may not always be possible.

To stay safe, any user can disable both the NFC feature and the Android Beam service.

If they use their Android phones as access cards, or as a contactless payment solutions, they can leave NFC enabled, but disable the Android Beam service — see image below. This blocks NFC file beaming, but still allows other NFC operations.

android-beam.jpg

android-beam.jpg

Image: ZDNet

So, there’s no need to panic. Just disable Android Beam and NFC if you don’t need them, or update your phone to receive the October 2019 security updates and continue using both NFC and Beam as usual.

A technical report on CVE-2019-2114 is available here.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Scammers
How Do Scammers Entice Their Prey?
May 10, 2022
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Prove
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022
Mintable
Mintable CEO Zach Burks Talks to Us about the Opensea Stolen NFTs and Their Recovery
March 21, 2022
Crypto Crime
Crypto Crime Surges To Record Highs As Thieves Follow Market Buzz – Chainalysis 2022 Report
February 24, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Russia
Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
GamStop
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
Cryptocurrency
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
Ethereum
The Unconventional Guide to Ethereum
October 28, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
--- --- --- ---
--- --- --- ---
--- --- --- ---
USD Coin0.9989 0.16 % 0.08 % 0.04 %
BNB301.80 0.55 % 1.03 % 0.17 %
XRP0.4316 1.06 % 1.63 % 12.76 %
Cardano0.9566 0.22 % 0.68 % 6.96 %
Solana55.31 1.73 % 1.95 % 13.03 %
Binance USD0.9992 0.60 % 0.55 % 0.18 %
Polkadot10.80 1.71 % 1.37 % 0.01 %

bitcoin
Bitcoin (BTC) $ 30,222.00
ethereum
Ethereum (ETH) $ 2,057.15
tether
Tether (USDT) $ 1.00
usd-coin
USD Coin (USDC) $ 1.00
binance-coin
BNB (BNB) $ 302.99
xrp
XRP (XRP) $ 0.432807
cardano
Cardano (ADA) $ 0.571567
solana
Solana (SOL) $ 55.71
binance-usd
Binance USD (BUSD) $ 1.00
polkadot
Polkadot (DOT) $ 10.85