Once again, here is a heads-up for Android users, but not so serious (maybe). Reportedly, a vulnerability affecting the NFC beaming in Android devices can allow cyber attacks. While Google has already rolled out a patch for it, not all Android users are safe yet.
Reportedly, a researcher Y. Shafranovich earlier this year discovered a major glitch in the latest Android devices. He found that the vulnerability in the NFC beaming feature in Android 8 and later devices.
Specifically, he noticed that the recent Android OS versions do not prompt users to allow NFC to install external apps. Instead, the users, during a file transfer via NFC beaming, simply shows an app installation alert without any security prompt.
This is in contrast to the earlier Android versions where the system shows a notification to the users during NFC file transfers. The prompt clearly seeks permission from the users to allow NFC to install apps from unknown sources. This is in accordance with the general Android settings in older devices (up to Android 7) where a single option manages all apps regarding installation from unknown sources.
Whereas, in the case of Android 8 and later versions, a dedicated permission control comes with every app.
While that sounds harmless, the problem lies in how Google handles this permission for apps by default. The new Android versions simply whitelist all apps signed by Google and allow them to install apps from external sources.
Hence, the glitch exposes the recent Android versions, 8, 8.1, and 9, to security risks. A potential attacker can exploit this vulnerability to send malicious applications to a target device. As elaborated by the researcher,
Technical details are available in an advisory.
After finding the vulnerability in January 2019, the researcher reported the matter to Google. After working on the fix for months, Google finally released the patch with the October 2019 Android updates. Whereas, it has classified the bug (CVE-2019-2114) as a high severity vulnerability.
Therefore the users with devices running on Android 8.0 and later versions must ensure updating their devices to install the fix.