This smartphone bug could let hackers spread malware to nearby Android handsets

Last month, Google patched an Android bug that allowed hackers to remotely spread malware using NFC beaming. 

NFC (Near-Field Communication) beaming is an Android OS feature that allows the sending of files, apps, images and more. It works similarly to Wi-Fi or Bluetooth in practice, but uses radio waves.

Security expert Y. Shafranovich found earlier this year that sending APK files via NFC beaming on devices using Android 8 or later did not result in any prompt or security notification for the user.

Related: Best Android phones

Some hackers took advantage of this, using it as a way of transmitting malware onto people’s devices. Some used devices like payment terminals to transmit the malware, in the same way that fraudsters have been known to take contactless payments through people’s pockets or bags.

Android users are being encouraged to update their devices as soon as possible. New updates have eradicated this security loophole, so the latest OS version is safer than its predecessor.

The security analysts at Nightwatch Cybersecurity explained: “In Android 8 (Oreo) a new feature was introduced that requires users to opt-in to the ‘Install unknown apps’ permission on an app by app basis. However, it appears that any system application that is signed by Google will be automatically whitelisted and would not prompt the user for this permission.

“On a standard Android OS device, the NFC service is one such system application that has the permission to install other applications. This means, that an Android phone that has NFC and Android Beam enabled, then touching a malicious phone or a malicious NFC payment terminal to the device may allow malware to be installed by bypassing the ‘install unknown apps’ prompt.”

Related: Best smartphone

The security experts went on to explain how you can examine, and correct, these settings yourself: “To see these permissions, use any Android phone with NFC and running v8 or higher, go to ‘Settings’, search for ‘Install unknown apps’ to find the permission. Tap through to view apps, and make sure to select ‘Show system’ in the dropdown menu. You will see that the ‘NFC Service’ is listed as being allowed to install applications by default.”

If you’re not able to immediately install the necessary updates, then the above measure can make your phone safer for now. The best thing for your security though, is to install the latest version of Android available to you.

Unlike other sites, we thoroughly review everything we recommend, using industry standard tests to evaluate products. We’ll always tell you what we find. We may get a commission if you buy via our price links. Tell us what you think – email the Editor