Google has recently released a patch to address a vulnerability affecting devices running Android 8 (Oreo) or later, tracked as CVE-2019-2114, that could be exploited to infect nearby phones via NFC beaming.
The Android Beam feature is available in the Android NFC framework and allows users to transfer large files between devices. The feature implements a simple API and allows users to start the transfer process by simply touching devices, then Android Beam file transfer automatically copies files from one device to the other and notifies the user when it’s finished.
When transferring APK files via NFC beaming, they are stored on disk and a notification is displayed to the users asking them permission to allow the NFC service to install an app from an unknown source.
Earlier this year, security expert Y.
This behavior stems from the ability to allow specific apps to install other apps in the most recent version of the Android OS and Android Beam has the same level of trust as the official Play Store app this means that it could allow installing any app from an unknown source.
Clearly, it was an unwanted behavior that Google fixed with October 2019 Android patches. The patch removed the Android Beam service from the OS whitelist of trusted sources.
Experts pointed out that an impressive number of Android devices having both NFC and the Android Beam services enabled could be compromised, a nearby attacker could exploit the CVE-2019-2114 flaw to plant malware on vulnerable phones.
“In Android 8 (Oreo) a new feature was introduced that requires users to opt-in to the “Install unknown apps” permission on
Even is the NFC feature is enabled by default on new Android devices, in order to transfer a file via NFC the attacker has to at a distance of 4 cm (1.5 inches) or smaller, an attack scenario that is not always feasible.