Android phones were affected by a bug which allowed hackers to transfer malware through NFC beaming. Google patched this Android bug last month but devices are still at risk as NFC beaming is turned on by default.
Android phones which have NFC enabled use this to transfer large files with the Android Beam file transfer feature. Android Beam will automatically copy files when two NFC-enabled devices are in close proximity. Although enabled by default, this feature notifies users of the files being copied on their smartphones.
Android Beam lets users copy APK files as well but with the usual Google prompt of installing apps from unknown sources. Users are warned of the APK file transfer along with the unknown sources alert. This bug however bypassed the warning message and showed only the normal notification for transferring files. Discovered by security researcher Y. Shafranovich (via ZDNet), this bug affected devices running on Android 8 Oreo and above.
Google lists this CVE-2019-2173 vulnerability as the most severe one in its October 2019 security update. Google explains that this vulnerability “could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions”.
Google has patched this bug with the October 2019 security update. Users who have an NFC-enabled device should download and install the latest security update. While Google usually rolls out security updates for Pixel devices, other brands also roll out their own versions of security updates. If you haven’t received the security update you can turn off Android Beam under NFC on your phone.