Google patches bug that let nearby hackers send malware to your phone
Google has patched a bug in the Android operating system that could have allowed attackers to install a rogue application on a victim’s phone – but only if they were able to invade their personal space.
Nightwatch Security found the flaw, numbered CVE-2019-2114, and described it in an advisory. The problem lies in Android Beam, a feature in the mobile operating system that lets people transfer large files directly between phones. It uses near field communications (NFC), a communications mechanism enabled by default in most Android phones, often used for contactless payments.
Users can send each other files using Android Beam by placing their phone within an inch or two of another. If the phone is able to send the content, an option will appear to transfer it.
One file type that can be sent using this technology is an APK file, which is an application installable on an Android device. If it receives an APK, the Android Beam service will automatically try to install it. This is where an attacker could exploit the vulnerability.
For security reasons, Android treats APKs that don’t stem from the official Google Play Store as unknown applications. Android version 8 (codenamed Oreo) and above ask the user’s permission before installing any unknown application. That is supposed to stop users unwittingly installing rogue applications that have made their way onto the device, perhaps via email or an unknown App Store.