Android malware travels via NFC: millions of smartphones at risk

A flaw in the Android Beam app makes it easy to infect smartphones on the green robot. At risk tens of millions of devices

There is a major security flaw in Android smartphones, from version 8 Oreo onwards, arising from the NFC connection (Near Field Communication, the one used for contactless payments, for example). Google has already released a patch to fix the problem, but the devices still not updated are tens of millions.

The flaw was discovered in January by researcher Yakov Shafranovich and communicated to Google, which has already patched all Pixels in October 2019. All other Android smartphones remain to be updated, with the timing and manner chosen by individual manufacturers. It could therefore take up to months before all smartphones running Android 8, 9 and 10 are secured. In the meantime, any hacker who happens to be in the vicinity of our NFC-chip device could install malware on it without our knowledge. Without us being able to protect the device in any way.

How to install malware via NFC

Through Android Beam, Android's service that handles NFC communications between two devices, we can share content with another device located within inches of ours. But if the other device doesn't have the necessary app to view this content, it receives a notification to download the app with which to view it. And therein lies the malware risk, because the downloaded app could be infected.

From Android 8 onwards, in fact, Android Beam can install apps from unknown sources. Before Android 8, it was possible to enable the installation of apps from unknown sources only at the system level (either yes, or no for all apps), while from Oreo onwards the choice is at the individual app level. On recent OS smartphones, then, the user can choose from the settings which apps can install other apps (for example, apps like Play Store, Chrome, and Dropbox can do so by default). Android Beam can also do this, and here's where the problem arises: if a hacker sends us a file, via NFC using Android Beam, to open with an infected app, this app can be installed without Android preventing it.

How to protect yourself from malware via NFC

If we have a Pixel phone, then we don't risk anything anymore: Google has already solved the problem by removing Android Beam's privilege to install other apps. If our smartphone is not yet up to date, however, there are only two options: either disable NFC altogether (within the Bluetooth settings) and thus give up features such as contactless payments, or uninstall Android Beam and give up only the ability to exchange files with other devices.