Google has revealed a serious security flaw affecting its Android OS. As disclosed, a Bluetooth subsystem vulnerability affected the Android OS that could allow remote code execution on the target devices.
Android Bluetooth Vulnerability
A serious bug was present in Google’s Android OS that threatened the security of numerous users across the globe.
The bug first caught the attention of security researcher Jan Ruge from Technische Universität Darmstadt, Secure Mobile Networking Lab. Sharing his findings in a blog post, the researcher stated,
A remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known.
The bug predominantly affected Android 8.0 to 9.0, where an attacker could exploit the flaw to steal user data or spread malware. However, in the case of Android 10, exploiting this vulnerability could only lead to the crashing of the Bluetooth daemon.
The researcher did not evaluate the vulnerability and subsequent exploit for Android versions older than 8.0. So, it is possible that the same flaw may also affect older Android devices as well.
Google Released Patches
The vulnerability was assigned the following CVE-2020-0022, in November 2019. He then reported the flaw to Google, who have addressed the vulnerability with February 2020 updates.
As stated in their Android bulletin,
The most severe vulnerability… could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.
The bulletin labels this vulnerability as a critical severity flaw in the case of Android 8.0, 8.1, and 9.0. Whereas, for Android 10, Google dubbed it a moderate severity bug.
Since Google have just released the patches, users of Android 8.0 and above must ensure they update their devices to the latest versions. Users of older Android versions must stay vigilant when using Bluetooth connectivity on their devices. They should keep their devices non-discoverable and should enable Bluetooth only when required.