Pierluigi Paganini November 02, 2019

A vulnerability affecting devices running Andoid 8 (Oreo) or later, tracked as CVE-2019-2114, could be exploited by hackers to infect them via NFC beaming.

Google has recently released a patch to address a vulnerability affecting devices running Android 8 (Oreo) or later, tracked as CVE-2019-2114, that could be exploited to infect nearby phones via NFC beaming.

The Android Beam feature is available in the Android NFC framework and allows users to transfer large files between devices. The feature implements a simple API and allows users to start the transfer process by simply touching devices, then Android Beam file transfer automatically copies files from one device to the other and notifies the user when it’s finished.

When transferring APK files via NFC beaming, they are stored on disk and a notification is displayed to the users asking them permission to allow the NFC service to install an app from an unknown source.

Earlier this year, security expert Y. Shafranovich discovered sending APK files via NFC beaming on Android 8 or later versions would not display any security warning to the users. The researcher noticed that notification would allow the user to install the app with just one tap.

This behavior stems from the ability to allow specific apps to install other apps in the most recent version of the Android OS and Android Beam has the same level of trust as the official Play Store app this means that it could allow installing any app from an unknown source.

Clearly, it was an unwanted behavior that Google fixed with October 2019 Android patches. The patch removed the Android Beam service from the OS whitelist of trusted sources.

Experts pointed out that an impressive number of Android devices having both NFC and the Android Beam services enabled could be compromised, a nearby attacker could exploit the CVE-2019-2114 flaw to plant malware on vulnerable phones.

“In Android 8 (Oreo) a new feature was introduced that requires users to opt-in to the “Install unknown apps” permission on a app by app basis. However, it appears that any system application that is signed by Google will be automatically whitelisted and would not prompt the user for this permission. On a standard Android OS device, the NFC service is one such system application that has the permission to install other applications.” reads the analysis published by NightWatchCybersecurity “This means, that an Android phone that has NFC and Android Beam enabled, then touching a malicious phone or a malicious NFC payment terminal to the device may allow malware to be installed by bypassing the “install unknown apps” prompt.”

Even is the NFC feature is enabled by default on new Android devices, in order to transfer a file via NFC the attacker has to at a distance of 4 cm (1.5 inches) or smaller, an attack scenario that is not always feasible.

Pierluigi Paganini

(SecurityAffairs – CVE-2019-2114, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]