New NFC vulnerability affects Android 7, 8 and 9; Google won’t fix this flaw

Vulnerability testing specialists report the finding of a new security flaw across multiple versions of Android OS (full report here). By default, no Android app can perform operations that negatively impact other apps, the operating system or the user, so activities such as reading or writing to private data, accessing the files of another app, maintaining the device awake, among others, are restricted.

In the report, experts describe a recently found
vulnerability in the Tags app, pre-installed on the Android operating system
and that reads Near Field Communication (NFC) tags, in addition to its analysis
and forwarding of results. The vulnerability, tracked as CVE-2019-9295, would
allow any unauthorized app to trick Tags into impersonate a new NFC tag, which
would be very useful in multiple attack scenarios.

This is not considered a critical
vulnerability, however, vulnerability testing experts believe that Android
users, especially those who do not use version 10, should be aware of this
security risk, as it could be the cause of more severe security flaws in the
future. In a statement, Google
specified that the vulnerability was only fixed on Android 10, so the solution
is not backward compatible.

This vulnerability allows a malicious
application to simulate receiving an NFC tag, and can simulate any type of
tags, such as NDE records. The downside for hackers is that user interaction is
required to trigger different attack scenarios.

The report raises two main attack scenarios:

  • A
    pop-up window that could appear randomly, alerting the user to the scan of a
    new NFC tag (generated by a malicious application). The user would have to
    interact with this pop-up to choose an app that takes care of this notification
  • The
    target user scans a real app. This could allow the malicious app to intercept
    and change the contents of the tag before it is managed by the default
    application by the operating system. For example, a user might scan a company
    label that contains a phone number; during the process, the unauthorized app
    will change the phone number on the original label without the user noticing
    any hint of anomalous activity.

According to vulnerability testing experts,
either scenario requires users to be tricked into clicking on a link that
redirects them to a page controlled by attackers, gives them the wrong number
or any other activity that can be embeddable with NFC tags. It is important to
note that even though the vulnerability allows forging any NFC tag, the need
for user interaction reduces its impact considerably.

Vulnerability testing experts from the
International Institute of Cyber Security (IICS) mention that the Android 10
update that fixes this flaw was laced about a month ago. However, many devices
have not yet implemented the operating system update. In addition, Google has
already announced that the vulnerability will not be fixed in previous versions
of the operating system, so caution is only recommended for users and

To Top

Pin It on Pinterest

Share This