NFC beaming operates through an internal OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos or even applications to another nearby device using NFC (Near-Field Communication) channels as an alternative to WiFi ή Bluetooth.
Usually, applications (APK files) sent via NFC beaming are stored on the disk and a notification is displayed on the screen. The alert asks the device owner if it wants to allow the NFC service to install an application from an unknown source.
However, in January this year, security researcher Y. Shafranovich discovered that applications sent through NFC beaming to Android 8 (Oreo) or later does not show approval approval in the notification. Instead, the alert allows the user to install the app with one tap, without any security warning.
The lack of a security warning is a major issue for Android. Android devices are not allowed to install applications from “unknown sources” - as anything installed outside the official Play Store is considered unreliable and unverified.
If users want to install an app outside Play Store, should visit the "Installing apps from unknown sources" section of Android OS and enable the feature.
Until Android 8, this "Install from unknown sources" option was a system-level setting, the same for all applications. But starting with Android 8, Google redesigned this mechanism into an app-based setting.
In modern versions of Android, users can visit the "Install unknown applications" section of Android security settings and allow specific applications to install other applications.
CVE-2019-2114 error occurred because the Android Beam application was done whitelist, receiving the same level of confidence as the official app in the Play Store.
Google said there was no reason to worry, as the Android Beam service was not created to install applications, but merely as a way of transferring data from device to device.
The 2019 Android patches October remove the Android Beam service from the OS whitelist list.
However, many millions of users remain at risk. If users have NFC and Android Beam enabled, one hacker could plant malware (malware) on their phones.
If there is no security alert for installation from an unknown source, touching the alert will begin the installation of malware. There is a risk that many users will misinterpret the message as coming from the Play Store and install the app, considering it to be an update.
How useful was this post?
Average rating / 5. Vote count:
No votes so far! Be the first to rate this post.