Vulnerability in Android
Elimination of vulnerability
At the end of October 2019, Google eliminated a vulnerability that could be used by cybercriminals to distribute malicious software between Android devices that are located close to each other. The problem was the incorrect operation of the NFC Beaming function in the “Android beam: enabled” mode, which allowed transferring APK-files of applications to another device via NFC. Moreover, the Android Beam service itself for the operating system was on the white list by the level of trust, and the transferred files were perceived in the same way as applications from the Google Play Store. All devices based on Android Oreo (8.0) and later were affected by this vulnerability.
The extended functionality of NFC (Near Field Communication) technology works on Android devices using the internal service of the Android Beam operating system. This service also allows you to transfer certain data between two Android devices. These can be image files, video fragments, as well as other files and APK applications that can be compromised or specially infected.
After the NFC transfer process is completed, the APK files of the applications are saved in the internal storage of the recipient device. However, if the recipient is a device based on Android Oreo (8.0) and later versions, then the device does not display a corresponding prompt or notification for permission to install software from an unknown source. Instead, a message is displayed on the screen of the second device, allowing its user to install a program received from another device via NFC with one click.
Of course, this problem is not a serious flaw in the Android security system, since the user still needs to confirm the launch of the resulting file. However, in this case, an important step was missed – after all, Android devices are not allowed by default to install applications from “unknown sources” if the corresponding option is not activated in the device”s security settings. And in the case of Android Beam, if such an opium was turned off, then all the same, NFC applications could be obtained and installed without any OS security warnings.
It turned out that the developers did not take into account such a moment – the Android Beam service by default had the highest level of trust in Android Oreo (8.0) and later versions and all files transferred through it were perceived as official applications from the Play Store. Although the functionality of this service was not originally intended for installing applications using it. The vulnerability has been assigned the number CVE-2019-2114 and was first reported on January 30, 2019. This vulnerability is currently fixed in the October Android Service Pack. This vulnerability met the requirements of the Android Security Rewards program, and Google paid a reward for finding and providing information.