Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Android Bug Cellphones Operating Systems

Android Bug Lets Hackers Plant Malware Via NFC Beaming (zdnet.com) 14

An anonymous reader quotes a report from ZDNet: Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming. NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even apps, to another nearby device using NFC (Near-Field Communication) radio waves, as an alternative to WiFi or Bluetooth. Typically, apps (APK files) sent via NFC beaming are stored on disk and a notification is shown on screen. The notification asks the device owner if he wants to allow the NFC service to install an app from an unknown source. But, in January this year, a security researcher named Y. Shafranovich discovered that apps sent via NFC beaming on Android 8 (Oreo) or later versions would not show this prompt. Instead, the notification would allow the user to install the app with one tap, without any security warning.

The CVE-2019-2114 bug resided in the fact that the Android Beam app was also whitelisted, receiving the same level of trust as the official Play Store app. Google said this wasn't meant to happen, as the Android Beam service was never meant as a way to install applications, but merely as a way to transfer data from device to device. The October 2019 Android patches removed the Android Beam service from the OS whitelist of trusted sources. However, many millions of users remain at risk. If users have the NFC service and the Android Beam service enabled, a nearby attacker could plant malware (malicious apps) on their phones.
Since most newly-sold devices have the NFC feature enabled by default, you'll have to disable Android Beam and NFC or update your phone to receive the October 2019 security updates if you want to protect yourself from this bug.
This discussion has been archived. No new comments can be posted.

Android Bug Lets Hackers Plant Malware Via NFC Beaming

Comments Filter:
  • by Burdell ( 228580 ) on Monday November 04, 2019 @07:11PM (#59381330)

    The phone user still has to tap on a notification to say "install"... the missing security warning isn't great, but it seems like a pretty low threat.

    • Unfortunately most users are complete idiots. Especially if you name the hack something like "Android Security Update". Same as the old days in Internet Explorer 6 when ActiveX alerts would pop up and install 20 toolbars. NFC is Not F'ing Cool.
      • Unfortunately most users are complete idiots. Especially if you name the hack something like "Android Security Update".

        OH SHIT.

      • by Amouth ( 879122 )

        Not just users but developers - i'll put 10$ down that whomever did the NFC beaming just grabbed the old Bluetooth Beaming code from the 90's and added to it.. because this is the exact same crap just with a different protocol....

    • by ColaMan ( 37550 )

      And it's NFC, so you have to basically put your phone on someone else's phone - and they also have to be at the "send this file or app to someone else via NFC" stage on their phone for this to work.

      And then you have to tap a button to install said app on your phone.

      So..... is this a big deal, really?

  • Unless I'm using it.
    • by Ksevio ( 865461 )

      Even if you have it on, Android turns it on when the phone is locked. An attacker would have to wait until you had your phone unlocked, then get really close to you to transfer it and hope you press the install button

      • An attacker would have to wait until you had your phone unlocked, then get really close to you to transfer it and hope you press the install button

        Uhh, why wait for you? If they're NFC close to your unlocked phone, they can press it themselves. With their nose even.

  • My phone is Android 5 or something. There are no updates, and I don' t think these supermarket specials ever did. So lots of the population have wide open obsolete phones. I don't think Google thinks there is any backlash by alert Android users that they are being privicided, generating revenue for Google and Alphabet and getting no quid pro quo. I suspect we will hear new variations, such as clear antennas on public transport ticket machines vending machines and others where NFC is used. It will be a pain
  • It's a very informative post to us, I have visited.hope you will share a quality blog. I mark this Post for future reference. visit:- Geek squad [geektechsupport.co.uk]

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...