Android Settings Update Create NFC Vulnerability

A recent update to the Android OS has created an exploit that users of near-field communications (NFC) technology should deal with immediately. Google has already addressed the issue by releasing a patch, but it needs to be downloaded and installed on phones. NFC systems are the basis of contactless payments, and the exploit threatens to allow malicious users to gain access to the handset to install unwanted applications.

NFC is a core feature that Android has enabled by default. The enabling of NFC isn’t a problem by itself, but a secondary setting that is also enabled by default allows unsigned applications to be installed on the handset. Previously, this was a systemwide setting, which could be turned on or off so that apps that don’t originate from the Play Store would have limited access to the handset. The new setting changes the permission settings for installing unsigned applications to an app-by-app basis, then sets each core Android app (such as Android Beam, the NFC communicator) as trusted applications.

Introducing a Problem

The scenario for the installation of a malicious app might not even be conspicuous. The user would just need to touch a payment portal that has a prompt for the installation of the software on the phone. The user might then be prompted to allow the app privileges with an official notification that makes it seem as though the malicious app comes directly from the play store. By the time the user has realized what they have done, it’s too late, and the malware is already live.

Google’s patch for the problem came out in October, and the update seeks to close the vulnerability by removing Android Beam as a trusted source. Users should update their devices as soon as possible to avoid falling prey to the vulnerability. Unlike many Android vulnerabilities, this one is relatively straightforward to deal with even without the patch. Users can access their settings for Android Beam and turn off the trusted status themselves. Users that haven’t yet gotten the latest patch can take the requisite precautions to ensure they don’t end up on the wrong end of a malicious app install from an NFC source.