Checkmarx specialists revealed details of a dangerous vulnerability in an NFC application for Android. Attackers can exploit a bug that allows manipulating NFC tags to redirect victims to a malicious site and other purposes.
The developers fixed the bug in the latest version of the OS, but will not eliminate it in previous releases.The error was identified in the Tags system application designed to process signals from NFC tags. If such a chip is found within the device’s radius of operation, the program displays a window offering to perform some action – for example, follow the link or make a call. Information security experts have found that a cybercriminal can interfere with the operation of Tags and independently display such messages.
“This vulnerability allows a malicious application to simulate receiving an NFC tag, and can simulate any type of tags, such as NDE records. The downside for hackers is that user interaction is required to trigger different attack scenarios”, — report Checkmarx specialists.
Researchers have described two attack scenarios. The first involves opening a dialog box even without detecting an NFC tag, the second involves changing the contents of a legitimate message.
By installing a malicious program on the device, an attacker can replace the phone or the link shown on the screen to force the user to go to a phishing site or make a call to a paid number. An attack requires interaction with the victim, which significantly reduces the level of threat.
“It is important to note that even though the vulnerability allows forging any NFC tag, the need for user interaction reduces its impact considerably”, — write Checkmarx experts.
The reason for the CVE-2019-9295 bug is insufficient application-level permission checking. According to information security analysts, in some cases, the malware will not even need extended privileges, since it will interact with the OS through the legitimate Tags program.
Google developers fixed a bug in Android 10 by releasing a patch as part of the patch kit, released on September 3. The vulnerability is present in previous OS releases – they do not plan to release updates for them, only security recommendations.
Read also: Another 0-day vulnerability discovered in Android
In June of this year, Japanese scientists developed a method of hacking an NFC connection, which allowed manipulating the target device. As part of the experiment, the researchers clicked on a malicious link and connected to a wireless network without the knowledge of the victim. The attack required a bulky set of equipment, including a copper mat, a transformer and a small computer. However, the authors argue that attackers could mount devices in a table or other surface.
