Android users at risk from Bluetooth hijack attack, and are warned of “short distance worm” threat

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Android users at risk from Bluetooth hijack attack
Google has issued a security bulletin regarding vulnerabilities in the Android operating system that could put users’ devices at risk.

One of the vulnerabilities, given a severity rating of “Critical” by Google, relates to a flaw that could allow an attacker, within range of a device’s Bluetooth signal, to run malicious code without requiring any interaction from the user.

Researchers at ERNW, who discovered the security vulnerability (dubbed CVE-2020-0022), described it as follows:

“On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).”

Worryingly, Android 8.0-9.0 account for over 60% of the Android devices in use.

Android os stats february 2020
Android OS version marketshare worldwide, February 2020. Source: gstatcounter.com

The researchers go on to explain that for technical reasons the vulnerability cannot be exploited on Android 10, but may cause the Bluetooth daemon to crash. It is not yet known if versions of Android prior to 8.0 are at risk.

ERNW reported the vulnerability to Google on November 3, 2019, since when a patch has been in the works.

Google informed other Android device manufacturers of the issue one month ago, and has gone public this week with security patches for its own-branded devices, such as the Google Pixel. Other patches included in the security update protect against other Android bugs that range in severity from “moderate” to “critical”.

Clearly the best thing for Android users to do is to install the latest available security patch onto their smartphones and tablets. Problems occur, however, if you happen to use a device from a manufacturer who has not yet rolled out the security update, or if your Android device is no longer officially supported.

If that’s true for you, you might want to consider disabling Bluetooth on your device until a proper fix becomes available for you. If you really must enable Bluetooth, remember to turn it off afterwards.

Sign up to our free newsletter.
Security news, advice, and tips.

The researchers at ERNW say that they will release more technical information on the vulnerability, including proof-of-concept code, as soon as they feel confident that patches have reached end users.

Given the history of how long some Android phones remain active on the internet with obsolete and bug-ridden versions of their operating system I don’t know how they can ever feel that it’s safe to do so.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Android users at risk from Bluetooth hijack attack, and are warned of “short distance worm” threat”

  1. Spryte

    Wishing for my old Blackberry….
    Sadly to go out of production this summer.
    Now there was a company that knew how to make a phone.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.