The error was identified in the Tags system application designed to process signals from NFC tags. If such a chip is found within the device’s radius of operation, the program displays a window offering to perform some action – for example, follow the link or make a call. Information security experts have found that a cybercriminal can interfere with the operation of Tags and independently display such messages.
“This vulnerability allows a malicious application to simulate receiving an NFC tag, and can simulate any type of tags, such as NDE records. The downside for hackers is that user interaction is required to trigger different attack scenarios”, — report Checkmarx specialists.
Researchers have described two attack scenarios. The first involves opening a dialog box even without detecting an NFC tag, the second involves changing the contents of a legitimate message.
By installing a malicious program on the device, an attacker can replace the phone or the link shown on the screen to force the user to go to a phishing site or make a call to a paid number. An attack requires interaction with the victim, which significantly reduces the level of threat.
“It is important to note that even though the vulnerability allows forging any NFC tag, the need for user interaction reduces its impact considerably”, — write Checkmarx experts.
The reason for the CVE-2019-9295 bug is insufficient application-level permission checking. According to information security analysts, in some cases, the malware will not even need extended privileges, since it will interact with the OS through the legitimate Tags program.
Google developers fixed a bug in Android 10 by releasing a patch as part of the patch kit, released on September 3. The vulnerability is present in previous OS releases – they do not plan to release updates for them, only security recommendations.
Read also: Another 0-day vulnerability discovered in Android
In June of this year, Japanese scientists developed a method of hacking an NFC connection, which allowed manipulating the target device. As part of the experiment, the researchers clicked on a malicious link and connected to a wireless network without the knowledge of the victim. The attack required a bulky set of equipment, including a copper mat, a transformer and a small computer. However, the authors argue that attackers could mount devices in a table or other surface.
About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…
About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…
About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…
About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…
About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…
About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…