The Android Beam app, installed on many Android devices, can be the gateway to dangerous apps. Android Beam allows transmission and reception of data using NFC near-field radio. You can also receive installation files for apps. By mistake, on Android 8, 9 and 10, the Android Beam app may install other apps from unknown sources. The usual warning is omitted.
This could result in users installing a malicious app after receiving a file through Android Beam with a simple tap or click, perhaps because they consider it an update. Since the NFC range is very short, an attacker has to get up to a few inches to the target phone to send the app. A prepared payment terminal is a plausible attack scenario. Although Germans do not want to pay with their mobile phones, this is the trend elsewhere.
How to protect yourself
Remedy the October update for Android. Unfortunately, many terminal manufacturers lag behind for months when it comes to closing security holes. Until the October update is up, users on Android 8, 9, or 10 devices should either turn off NFC functionality or deny Android Beam or the Nfc service permission to install apps from unknown sources. Turning off NFC completely is the easier way to correct the permissions the more elegant; it also brings fewer functional limitations with it.
The problem has been discovered by security researcher Yakov Shafranovich. He reported it to Google on January 30, 2019 and subsequently received a reward under the Android Bounty Program. Google ranks the security threat of the bug CVE-2019-2114 as "high" one. Nevertheless, the group has until the October update Androids needed to offer a patch.
(Ds)
. (TagsToTranslate) Android (t) Google (t) NFC (t) Security
