Android users are advised to apply up-to-date security fixes issued for the operating system on Monday that highlight a serious flaw in the Bluetooth subsystem.
A hacker could exploit the security fault, now recognized as CVE-2020-0022 without user permission to run random code on the device with the raised privileges of the Bluetooth when the wireless module is active.
Revealed and reported by Jan Ruge at the Technische Universität Darmstadt, Secure Mobile Networking Lab, the bug is thought to be critical on Android Oreo (8.0 and 8.1) and Pie (9) because abusing it leads to code injection.
Ruge says that hackers could use this security flaw to spread malware from one susceptible device to another, like a worm. Nevertheless, the transmission is restricted to the short distance protected by Bluetooth.
The Android security bulletin remarks that CVE-2020-0022 “could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.”
The only precondition for benefiting from the issue is knowing the Bluetooth MAC address, but it’s not difficult to find.
“For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address,” says the researcher on the blog site of German IT security consultant ERNW.
The researcher says that, on Android 10, the severity rating falls to modest since it only crashes the Bluetooth daemon. Android versions older than 8.0 may also be impacted but the effect on them has not been measured.