One of the vulnerabilities stated in the bulletin was given a severity rating of “Critical” by Google; relates to a flaw that could allow an attacker, within range of a device’s Bluetooth signal, to run malicious code without requiring any interaction from the user.
Researchers at ERNW, who discovered the security vulnerability (dubbed CVE-2020-0022), described it as follows:
“On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).”
Worryingly, Android 8.0-9.0 account for over 60% of the Android devices in use.
The researchers go on to explain that for technical reasons the vulnerability cannot be exploited on Android 10, but may cause the Bluetooth daemon to crash. It is not yet known if versions of Android prior to 8.0 are at risk.
ERNW reported the vulnerability to Google on November 3, 2019, since when a patch has been in the works.
Google informed other Android device manufacturers of the issue one month ago, and has gone public this week with security patches for its own-branded devices, such as the Google Pixel. Other patches included in the security update protect against other Android bugs that range in severity from “moderate” to “critical”.
Clearly the best thing for Android users to do is to install the latest available security patch onto their smartphones and tablets. Problems occur, however, if you happen to use a device from a manufacturer who has not yet rolled out the security update, or if your Android device is no longer officially supported.
If that’s true for you, you might want to consider disabling Bluetooth on your device until a proper fix becomes available for you. If you really must enable Bluetooth, remember to turn it off afterwards.
The researchers at ERNW say that they will release more technical information on the vulnerability, including proof-of-concept code, as soon as they feel confident that patches have reached end users.
https://www.grahamcluley.com/android-bluetooth-worm-vulnerability/