NFC works with Android Beam, which service allows Android devices to send images, videos, and other files, or even apps, to another nearby device using Near-Field Communication radio waves, alternative to WiFi and Bluetooth technology.
While files sent via NFC beaming results a prompt on the receiving device asking for permission to install the file from an unknown source, but starting with Android 8 (Oreo) and above, if you send an app to someone via NFC beaming, no such prompt appears and the installation of the app happens in just a tap.
Google displays a warning whenever an Android user tries to install app that is not directly downloaded from Play Store, the bug is that on Android Oreo and above devices, NFC beaming does not explicitly require users' permission, whether they wish to go ahead with installation of app from unknown sources.
Albeit, some certain apps such as Dropbox app and Google Chrome are whitelisted and can be installed without the security warnings or notification.
The reasons this bug is such a big deal, is that new Android devices have the NFC feature enabled by default and wouldn’t even show if the feature is active on your smartphone. It works once you hold two devices in close proximity, between 4cm or 1.5 inches apart, so if a hacker needs to send malware to your Android device, he only needs to bring his smartphone close to your device.
Google acknowledged the bug (CVE-2019-2114) as affecting Android devices running Android 8.0 (Oreo) or above by allowing anyone, including bad actors to send malware discreetly to smartphone via NFC beaming.
The company has promptly released a fix, and by removing the NFC Beaming feature from whitelisted apps. However, it is advised that you turn off the NFC feature and Android Beam on your device, and users should update their Android OS to the latest software if available for their device.