Hackers can exploit NFC, Chrome browser to take over your Android phone
Despite Google’s valiant attempt to make Android a safer playground for its users by introducing the anti-malware Bouncer service last February, which helps scan apps on Google Play Store for malware and keep them out, experts are still finding security loopholes that can wreak havoc on your Android device.
The first threat we’re going to talk about today comes from the Near Field Communication (NFC) feature on certain Android devices, which is becoming more ubiquitous these days. Though the technology was already used in older phones like the Google Nexus S, released back in 2010, newer devices like Samsung’s Galaxy S3 seem to be finding more uses for it, as NFC is being promoted beyond wireless payment – such as for transferring pictures and other files.
Charlie Miller, a consultant from security firm Accuvant, has recently demonstrated how easy it is to push through malicious code to an Android device. He did it with the help of a device as small as a postage stamp, also known as an NFC tag, by placing it within close proximity to where people would be using their NFC-equipped device the most. This enables the code to be beamed over to the handset, thus allowing hackers to gain full control of the device.
So what you can do to avoid the worst from happening? When it comes to NFC, enabling the feature in combination with Android Beam on your device does leave you with no choice but to accept any incoming transfer – malicious or not. There is currently no mechanism in place where you can select to approve or reject the transfer from other NFC devices. This is obviously something that Google and manufacturers need to address.
The second threat is a security flaw that was found in Google’s Chrome browser for Android. Demonstrating it back in February, Miller, alongside Crowdstrike’s Georg Wicherski, used a piece of software to infect the device through the loophole. The flaw has since been fixed by Google, and those who have updated the browser to its latest version should be relatively safe from such attacks.