It was found in Android OS versions 8.0 & higher that the security warning message to install external apps does not prompt users when an app is transferred via NFC (Near Field Communication). This can give a nefarious actor leverage to send and install a PUA (Potentially Unwanted Application) to your phone.
Contrary to earlier Android versions where the system shows a notification to the users during NFC file transfers. The prompt seeks permission from the users to allow NFC to install apps from unknown sources. However, in the mentioned versions, this won't happen. Instead, during a file transfer via NFC beaming bypasses it, showing in the notification bar that an app is being installed.
It seems that any system application that is signed by Google will be automatically whitelisted and would not prompt the user for this permission.
The NFC service is a system application that has permission to install other applications. It means that an Android phone that has NFC and Android Beam enabled, when touching a malicious phone or a malicious NFC tag or payment terminal to the device may allow malware to be installed by bypassing the "install unknown apps" prompt.
An adversary only needs an NFC device containing the APK (Android application) payload to send it to the targeted Android mobile, the target device must have NFC technology and must be enabled to be able to take advantage of this flaw.
Once the attacker has the crafted APK, they just need a quick tap on the target to start transferring and installing the malicious APK. The user will probably notice a notification saying that the beam transfer finished.
NFC has an effective range of about 4 cm (1.5 inches), which doesn't seem like much but still enough to pose a threat. In security, given an inch to adversaries, may lead to attackers gaining a mile.
NFC is used for applications like contactless payments, a pairing of devices, and access control. Android devices also support NFC for transferring data between two devices, including documents, photos, and applications, via a feature called Android Beam.
This vulnerability could allow a malicious application to bypass user interaction requirements to gain access to additional permissions.
While Google has already released a security update and has informed the partners (mobile phone providers using Android with a customized version), some brands take more time to issue the update. Worth keeping in mind that in this case are the recent versions of Android being affected, therefore can be addressed. However, there are occasions where the affected versions are old Android versions, and thus, those versions do not have any support from Google. Here is where you should consider updating your gear.
This vulnerability is tracked under:
- Android 8.0
- Android 8.1
- Android 9
Checking for a software update is recommended. Also, you can check whether your NFC has permission to install apps from unknown sources. If so, you can remove those permissions. You can do it by going to security settings.
The best practice is to not leave the NFC, or any other wireless technologies enabled when not in use. Wireless technologies are, indeed, very beneficial. Unfortunately, there are disadvantages, for example, when zero-day vulnerabilities emerge, and attackers take advantage of them.
TTPs: Tactics, techniques and procedures
CVEs: Common Vulnerabilities and Exposures