Android Vulnerability – NFC exploitation

November 16, 2019 | Views: 5375

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This blog is by Knogin blog by author Anthony Carballo. Reposted with permission.

It was found in Android OS versions 8.0 & higher that the security warning message to install external apps does not prompt users when an app is transferred via NFC (Near Field Communication). This can give nefarious actor leverage to send and install a PUA (Potentially Unwanted Application) to your phone.

Contrary to earlier Android versions where the system shows a notification to the users during NFC file transfers. The prompt seeks permission from the users to allow NFC to install apps from unknown sources. However, in the mentioned versions, this won’t happen. Instead, during a file transfer via NFC beaming bypasses it, showing in the notification bar that an app is being installed.

It seems that any system application that is signed by Google will be automatically whitelisted and would not prompt the user for this permission.

The NFC service is a system application that has permission to install other applications. It means that an Android phone that has NFC and Android Beam enabled when touching a malicious phone or a malicious NFC tag or payment terminal to the device may allow malware to be installed by bypassing the “install unknown apps” prompt.

 

TTPs

An adversary only needs an NFC device containing the APK (Android application) payload to send it to the targeted Android mobile, the target device must have NFC technology and must be enabled to be able to take advantage of this flaw.

Once the attacker has the crafted APK, they just need a quick tap on the target to start transferring and installing the malicious APK. The user will probably notice a notification saying that the beam transfer finished.

 

Conclusions

NFC has an effective range of about 4 cm (1.5 inches), which doesn’t seem like much but still enough to pose a threat. In security, given an inch to adversaries, may lead to attackers gaining a mile.

NFC is used for applications like contactless payments, a pairing of devices, and access control. Android devices also support NFC for transferring data between two devices, including documents, photos, and applications, via a feature called Android Beam.

This vulnerability could allow a malicious application to bypass user interaction requirements to gain access to additional permissions.

While Google has already released a security update and has informed the partners (mobile phone providers using Android with a customized version), some brands take more time to issue the update. Worth keeping in mind that in this case are the recent versions of Android being affected, therefore can be addressed. However, there are occasions where the affected versions are old Android versions, and thus, those versions do not have any support from Google. Here is where you should consider updating your gear.

 

CVEs

This vulnerability is tracked under:

CVE-2019-2114

Severity:

High

Vulnerable Versions:

  • Android 8.0
  • Android 8.1
  • Android 9

 

Advice

Checking for a software update is recommended. Also, you can check whether your NFC has permission to install apps from unknown sources. If so, you can remove those permissions. You can do it by going to security settings.

The best practice is to not leave the NFC, or any other wireless technologies enabled when not in use. Wireless technologies are, indeed, very beneficial. Unfortunately, there are disadvantages, for example, when zero-day vulnerabilities emerge, and attackers take advantage of them.

 

TTPs: Tactics, techniques and procedures

CVEs: Common Vulnerabilities and Exposures

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel