NFC vulnerability affects millions of Android phones

Android Beam NFC vulnerability can help hackers install malware-laced apps in phones

Google has an envious record of having more than 80-percent of the mobile OS market share, but it comes at a price, as the hackers find it to be an easy place to prey on naive users to steal money or trick them to install adware-laced apps and make quick bucks out of it. 

Now, a report has emerged that there is loophole in the Android Beam, an NFC (Near Field Communication) feature that can allow cybercriminals to install malware on a phone without the knowledge of the victim and this time, it is the Google's fault, says the search engine giant's very own security research group Project Zero.

Android phones with Android 8.0 Oreo or later versions (9.0 Pie and Android 10) are vulnerable to the NFC glitch dubbed as CVE-2019-2114. If the Google's official Android dashboard is to be believed, close to 39-percent (around 968 million) of all the active Android phones (more than 2.5 billion) worldwide are at the risk of getting hacked.
How the hackers may misuse this 'CVE-2019-211' glitch?

Usually, when there is a transfer of data or app between two Android phones, the receiver mobile gets a notification on the screen to either accept or reject, but devices running Oreo (or later) don't show “install unknown application” prompt.

"In Android 8 (Oreo) a new feature was introduced that requires users to opt-in to the “Install unknown apps” permission on an app by app basis. However, it appears that any system application that is signed by Google will be automatically whitelisted and would not prompt the user for this permission, " Nightwatch Cyber Security team said on the blog post.


System application that is signed by Google will be automatically whitelisted (Picture credit: Nightwatch Cyber Security)

With this, hackers, depending on the malware's capability can steal information such as contact details, photos, track GPS location and in rare cases siphon money from banking apps installed in the mobile.

Also, it can be noted that the NFC feature works in close proximity (around 10cm between devices), so the bad actor has to be right next to the victim or tap on the victim's phone to transfer the malware-laced app. 

If you happen to have an Android phone with Oreo or later versions, you are advised to update your device to the latest October 2019 security patch. Also, it is imperative for Android phone-makers to release the update to their devices. As of now, very few such as Google, Nokia, Samsung have rolled out the latest firmware to the devices. 

Android phone owners can check for software updates on your Android phone by going to Settings >> About Phone > check software update.

Also, get security updates and Google Play system updates. Go to Settings >> Tap Security>>Check for an update.

To check if a security update is available, tap Security update.

To check if a Google Play system update is available, tap Google Play system update. Follow the steps as mentioned on the screen.

If your phone-maker has not released the October 2019 security patch, then disable the NFC feature. Go Settings >> NFC and payment >> disable Android Beam. You can enable it again when 'you' want to use it.

The news comes in the wake of WhatsApp filing lawsuit against Israel-based NSO Group, which used Pegasus tool to spy on several people around the world.

WhatsApp with the help of the Citizen Lab, the University of Toronto's 'interdisciplinary laboratory', found that the spy operators used Pegasus to illegally track people in at least 45 countries across four continents. In India, around 19 citizens mostly human rights activists, academics, lawyers and journalists were reportedly spied on.

Read more | Pegasus can track 50 people at any given time

Get the latest news on new launches, gadget reviews, apps and more on personal technology only on DH Tech.

DH Newsletter Privacy Policy Get top news in your inbox daily
GET IT
Comments (+)