large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

This smartphone bug could let hackers spread malware to nearby Android handsets

Last month, Google patched an Android bug that allowed hackers to remotely spread malware using NFC beaming. 

NFC (Near-Field Communication) beaming is an Android OS feature that allows the sending of files, apps, images and more. It works similarly to Wi-Fi or Bluetooth in practice, but uses radio waves.

Security expert Y. Shafranovich found earlier this year that sending APK files via NFC beaming on devices using Android 8 or later did not result in any prompt or security notification for the user.

Related: Best Android phones

Some hackers took advantage of this, using it as a way of transmitting malware onto people’s devices. Some used devices like payment terminals to transmit the malware, in the same way that fraudsters have been known to take contactless payments through people’s pockets or bags.

Android users are being encouraged to update their devices as soon as possible. New updates have eradicated this security loophole, so the latest OS version is safer than its predecessor.

The security analysts at Nightwatch Cybersecurity explained: “In Android 8 (Oreo) a new feature was introduced that requires users to opt-in to the ‘Install unknown apps’ permission on an app by app basis. However, it appears that any system application that is signed by Google will be automatically whitelisted and would not prompt the user for this permission.

“On a standard Android OS device, the NFC service is one such system application that has the permission to install other applications. This means, that an Android phone that has NFC and Android Beam enabled, then touching a malicious phone or a malicious NFC payment terminal to the device may allow malware to be installed by bypassing the ‘install unknown apps’ prompt.”

Related: Best smartphone

The security experts went on to explain how you can examine, and correct, these settings yourself: “To see these permissions, use any Android phone with NFC and running v8 or higher, go to ‘Settings’, search for ‘Install unknown apps’ to find the permission. Tap through to view apps, and make sure to select ‘Show system’ in the dropdown menu. You will see that the ‘NFC Service’ is listed as being allowed to install applications by default.”

If you’re not able to immediately install the necessary updates, then the above measure can make your phone safer for now. The best thing for your security though, is to install the latest version of Android available to you.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.