Google has patched a bug in the Android operating system that could have allowed attackers to install a rogue application on a victim’s phone – but only if they were able to invade their personal space.
Nightwatch Security found the flaw, numbered CVE-2019-2114, and described it in an advisory. The problem lies in Android Beam, a feature in the mobile operating system that lets people transfer large files directly between phones. It uses near field communications (NFC), a communications mechanism enabled by default in most Android phones, often used for contactless payments.
Users can send each other files using Android Beam by placing their phone within an inch or two of another. If the phone is able to send the content, an option will appear to transfer it.
One file type that can be sent using this technology is an APK file, which is an application installable on an Android device. If it receives an APK, the Android Beam service will automatically try to install it. This is where an attacker could exploit the vulnerability.
For security reasons, Android treats APKs that don’t stem from the official Google Play Store as unknown applications. Android version 8 (codenamed Oreo) and above ask the user’s permission before installing any unknown application. That is supposed to stop users unwittingly installing rogue applications that have made their way onto the device, perhaps via email or an unknown App Store.
The software that manages the NFC service in the Android OS is signed by Google, meaning that the OS trusts whatever it presents. That means that it automatically trusts any APKs delivered to the device via Android Beam, and will install them without warning the recipient that the application is unknown.
This doesn’t mean that the flaw is easily exploitable. Although it won’t warn that the application is unknown, the OS still presents the user with a prompt asking permission to install any application, meaning that they would still have to approve it. There’s also the small matter of getting the attacker’s phone close enough to the victim’s phone without it being obvious.
That said, it is certainly possible. The victim might assume that the installation prompt was an application update. As for positioning the attack device, perhaps the attacker could mill a cavity into the underside of a desk with a very thin veneer between their phone and the surface, enabling it to communicate with the victim’s phone?
However, even if someone wanted to put that much effort in, there are easy ways to thwart the attack, according to Nightwatch.
What to do?
You can turn off permissions for the NFC app to install unknown applications, which will prevent the NFC app from trying to install an APK.
You can also turn off Android Beam in the NFC and Payment area of your Android device’s settings, while still leaving NFC on for contactless payments.
Finally, you can install the fix that Google released last month, patching the flaw.