In Oct, Google rolled out a patch on an Android bug that allows hackers to spread malware to a smartphone nearby through an Android OS feature known as NFC Beaming. This process works through an internal Android operating system known as the Android Beam. This service enables an Android device to send data like videos, images, files, and apps to a nearby device using Near-Field Communication radio waves, an alternative for Bluetooth or WiFi.

Usually, APK files sent through NFC beaming are saved on disk, and the user gets a notification on the screen whenever a transfer is made. The notification asks the user if he will allow the NFC service to install the app from an unknown sender. However, security researcher Y. Shafranovich discovered in Jan 2019 that apps sent through NFC Beaming on Android 8 or Oreo or later version does not support this kind of notification.

android malware infection how to protect
All Android devices running on Android 8 (Oreo) or later are affected; Google rolled out a patch last month to fix the issue. Reuters

What happens is that instead of seeing a notification, it will enable the user to install the app using a single tap without any warning. The lack of prompt sound is nothing significant, but it is a massive issue in the security model of Android. Devices running on Android OS are not allowed to install apps from unknown sources since anything downloaded or installed outside the Google Play Store is unverified and untrusted.

But beginning with Android 8, Google remade this system into an application-based setting. The CVE-2019-2114 existed because the Android Beam app is also whitelisted, getting the same level of trust similar to apps found in the official Play Store. According to the search engine giant, Android Beam service was never intended as a way of installing apps but just an alternative to transferring data from one device to another device.

Although the Android patches released in Oct 2019 removed the Android Beam service from the operating system whitelist of trusted sources, millions of Android users are still at risk. This is because when a device has enabled the Android beam service and the NFC service, a nearby attacker could put malicious apps on the Android device without the owner’s knowledge. Also, because of the absence of prompt, a single tap on the notification allows the malicious apps to be installed in the device. There is also the risk that users might misinterpret the message that it comes from the Play Store and easily install it, thinking that it is an update.