New NFC vulnerability affects Android 7, 8 and 9; Google won’t fix this flaw

Vulnerability testing specialists report the finding of a new security flaw across multiple versions of Android OS (full report here). By default, no Android app can perform operations that negatively impact other apps, the operating system or the user, so activities such as reading or writing to private data, accessing the files of another app, maintaining the device awake, among others, are restricted.

In the report, experts describe a recently found vulnerability in the Tags app, pre-installed on the Android operating system and that reads Near Field Communication (NFC) tags, in addition to its analysis and forwarding of results. The vulnerability, tracked as CVE-2019-9295, would allow any unauthorized app to trick Tags into impersonate a new NFC tag, which would be very useful in multiple attack scenarios.

This is not considered a critical vulnerability, however, vulnerability testing experts believe that Android users, especially those who do not use version 10, should be aware of this security risk, as it could be the cause of more severe security flaws in the future. In a statement, Google specified that the vulnerability was only fixed on Android 10, so the solution is not backward compatible.

This vulnerability allows a malicious application to simulate receiving an NFC tag, and can simulate any type of tags, such as NDE records. The downside for hackers is that user interaction is required to trigger different attack scenarios.

The report raises two main attack scenarios:

  • A pop-up window that could appear randomly, alerting the user to the scan of a new NFC tag (generated by a malicious application). The user would have to interact with this pop-up to choose an app that takes care of this notification
  • The target user scans a real app. This could allow the malicious app to intercept and change the contents of the tag before it is managed by the default application by the operating system. For example, a user might scan a company label that contains a phone number; during the process, the unauthorized app will change the phone number on the original label without the user noticing any hint of anomalous activity.

According to vulnerability testing experts, either scenario requires users to be tricked into clicking on a link that redirects them to a page controlled by attackers, gives them the wrong number or any other activity that can be embeddable with NFC tags. It is important to note that even though the vulnerability allows forging any NFC tag, the need for user interaction reduces its impact considerably.

Vulnerability testing experts from the International Institute of Cyber Security (IICS) mention that the Android 10 update that fixes this flaw was laced about a month ago. However, many devices have not yet implemented the operating system update. In addition, Google has already announced that the vulnerability will not be fixed in previous versions of the operating system, so caution is only recommended for users and developers.