New Android bug allowed hackers to plant malware through NFC beaming

A bug that was found to have impacted all Android 8 Oreo and later devices allowed hackers to spread malware to nearby phones using NFC beaming. The bug was patched in October 2019. NFC beaming aka Android Beam in Android, allows Android devices to send data like videos, images, files, and apps to a nearby device using Near-Field Communication radio waves, an alternative to Bluetooth or WiFi. Usually, when NFC beaming is used to send an APK file, it is saved on disk and the user is notified whenever a transfer is made. A notification asks the user if they will allow the installation of an app from an unknown sender. [caption id=“attachment_6589311” align=“alignnone” width=“1024”]  The Google Pixel 3a XL. Image: Omkar G[/caption] However, as was recently discovered by a security researcher, a bug kept the NFC beaming feature from notifying users about installing an app from an unknown sender. This is a matter of grave concern as an attacker could, theoretically, beam an app over to your phone and then install a malicious app, compromising it remotely.

NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114] https://t.co/HkbFznU3Vz pic.twitter.com/RpccJoEbQL

— Nightwatch Cyber (@nightwatchcyber) October 25, 2019

While the October security update for Android patches the bug, a compromised device is likely to remain compromised because the malicious apps would already have been installed.

How to protect your device from the NFC bug?

On most of the newly-sold Android devices, NFC is enabled by default. In order to disable NFC, you can head to Settings > Connectivity > NFC and Payment. However, in case you use your Android device as an access card, or for contactless payment, you can just disable Android Beam from your settings and leave the NFC and Payment option enabled. This will continue to allow you to use your device for contactless payment but will block NFC file beaming.