In the Android operating system, a vulnerability has been found that allows access to complete data of a bank card through multifunctional devices with NFC support, such as Flipper Zero. The problem received the identifier cve-2023-35671 and affects all devices on Android 5.0 and higher.
Vulnerability is associated with the function “screen pinning” (“Fixing the screen”). When this function is turned on for any application, as well as provided that the activated options “request a PIN code before the reinterposition” and “require unlocking the device for NFC”, the victim’s bank card can be stolen.
Option “Fixing the screen” is necessary in order to fix the screen of the smartphone on one specific application, without the ability to curtail it. This is necessary, for example, to temporarily transfer the device to another person (friend, relative) and be sure that he will not launch any other application and will not violate your privacy.
So, if there is an active consolidation, a person with a suitable NFC reader can get the full data of a credit or debit card if it is tied to the Google Wallet of the victim and configured for contactless payment. At the same time, it is enough to simply attach a hazel gadget to the vulnerable device, without the need to enter a password, which is usually requested in such cases.
It should be noted that vulnerability does not allow payments, but provides access to the data of the attached card, including its number and validity period, which can also be useful to a potential attacker.
Despite the very specific conditions for the implementation and a little risk of use in real attacks, Google has already noted the vulnerability as “serious” and began to solve the problem.
The correction is included in security patch for September 2023, but it will be received only relatively relatively Fresh versions of the system, starting with Android 11. Patch is already available to all manufacturers of Android Smartphones, who, each at their own pace, have begun to depart it into supported devices.
But devices working on outdated versions of