Google has patched a bug in the Android operating system that could have allowed attackers to install a rogue application on a victim’s phone – but only if they were able to invade their personal space.
Nightwatch Security found the flaw, numbered CVE-2019-2114, and described it in an advisory. The problem lies in Android Beam, a feature in the mobile operating system that lets people transfer large files directly between phones. It uses near field communications (NFC), a communications mechanism enabled by default in most Android phones, often used for contactless payments.
Users can send each other files using Android Beam by placing their phone within an inch or two of another. If the phone is able to send the content, an option will appear to transfer it.
One file type that can be sent using this technology is an APK file, which is an application installable on an Android device. If it receives an APK, the Android Beam service will automatically try to install it. This is where an attacker could exploit the vulnerability.
For security reasons, Android treats APKs that don’t stem from the official Google Play Store as unknown applications. Android version 8 (codenamed Oreo) and above ask the user’s permission before installing any unknown application. That is supposed to stop users unwittingly installing rogue applications that have made their way onto the device, perhaps via email or an unknown App Store.
The software that manages the NFC service in the Android OS is signed by Google, meaning that the OS trusts whatever it presents. That means that it automatically trusts any APKs delivered to the device via Android Beam, and will install them without warning the recipient that the application is unknown.
This doesn’t mean that the flaw is easily exploitable. Although it won’t warn that the application is unknown, the OS still presents the user with a prompt asking permission to install any application, meaning that they would still have to approve it. There’s also the small matter of getting the attacker’s phone close enough to the victim’s phone without it being obvious.
That said, it is certainly possible. The victim might assume that the installation prompt was an application update. As for positioning the attack device, perhaps the attacker could mill a cavity into the underside of a desk with a very thin veneer between their phone and the surface, enabling it to communicate with the victim’s phone?
However, even if someone wanted to put that much effort in, there are easy ways to thwart the attack, according to Nightwatch.
What to do?
You can turn off permissions for the NFC app to install unknown applications, which will prevent the NFC app from trying to install an APK.
You can also turn off Android Beam in the NFC and Payment area of your Android device’s settings, while still leaving NFC on for contactless payments.
Finally, you can install the fix that Google released last month, patching the flaw.
Donald Walton
I thought I had signed on to sophos but I have not received any evidence that this has actually happened.ll
Anna Brading
Hi Donald, Sorry to hear you’re having trouble. Can you give me a bit more info about what you’ve tried to sign on to so we can work out what’s happened? Thanks!
Tony Gore
Glad that the bug is patched, but my experience of NFC is that in using it with my camera, on my last and current phone I have to make a contact within an accuracy of about a centimetre and hold it there long enough for it to read. I also keep NFC turned off, because if it is on, I get random and frequent beeps from the phone – I suspect other apps interact with it and trigger the beeps as a result – maybe if NFC is on, they try to use it and beep when it fails to read something. And no, I don’t keep it in my pocket with my passport. (Android and NFC are required to register in the UK as an EU citizen to remain in the country – Apple users have to find an Android friend).
dumbfound
Tony, so your saying people without a phone aren’t allowed in the UK?