A NOW-PATCHED BUG made it possible for hackers to dump malicious APK files on nearby Android devices without any kind of security warning from Oreo onwards.
Android Beam was the culprit. For those unfamiliar with Beam, it's a way of transferring files, pictures and videos between two Android devices using NFC rather than WiFi, Bluetooth or a tedious process involving cables and a laptop.
The fact that you can send APK files over Beam in itself isn't a problem. The issue is that Android Beam was accidentally whitelisted as a trusted source by Google, in the same way that the Play Store gets a free pass. So while anybody being sent a malicious file should have had a short warning on the perils of installing apps from unknown sources, they were instead able to be infected with a single tap.
Aside from the fact that Google patched this vulnerability last month, there are other reasons that this doesn't sit anywhere near the most dangerous threats facing your devices today. Firstly, you still need to actually action the install with a tap - you just won't get Google's warning that it's a bad idea and the extra safety net of having to manually enable "install apps from unknown sources" in the settings.
Second, and more importantly, the N in NFC stands for "near", and in this context that means about 1.5in. In other words, a hacker would have to get uncomfortably close to actually initiate the malware plant in the first place - and if a creepy stranger is that close to you, then you probably have bigger problems than a dodgy APK.
Anyway, it's a moot point: Google has fixed it. But if the latest patch hasn't reached your handset yet, you can cut out the threat entirely by either turning off NFC or disabling Android Beam. If you use your phone for contactless payment, you'll want the latter. µ
Hype for HyperThreading
Hey kids, leave them iPhones alone
The Mac lady sings
Babel in yo ear