Today in “it’s always a good idea to update your devices,” a recently discovered loophole in Android’s NFC-based file-sharing feature, Android Beam, makes it possible for someone to install an app on your device. The loophole has already been identified and fixed by Google in an Android update that went out last month, so diligent updaters are already covered. If you haven’t, now would be a good time to do so.
The bug, as reported by ZDNet, is really a misclassification of Beam’s security permissions. With most NFC-based exchanges, users are supposed to receive a prompt warning them that information is being transferred. With applications in particular, Android is supposed to block installing applications from “unknown sources” outside the Google Play store unless you confirm you want them.
In Android 8.0 and higher, Android whitelisted Google Beam, making it as trustworthy as the Play Store. So, if someone were to send an app over Beam, it would install automatically once you acknowledged the app—without any security warning. As someone who half-reads notifications all the time, I can attest to the fact that this sets up even the most security conscious of us to accidentally install malicious software.
Google updated Beam’s permissions in the October 2019 Android update. If you keep your phone up-to-date, the problem has already been solved. (I would suggest checking for updates if you haven’t in the last week, just to be sure.)
You can also disable NFC file-sharing entirely, if you don’t use it, by going into the Settings app, clicking “Connections,” then “NFC and payment,” and switching Google Beam off. Turning off Beam will block all file-sharing over NFC without disabling other NFC-based apps, such as Google Pay.