Google has issued a security bulletin regarding vulnerabilities in the Android operating system that could put users’ devices at risk.
One of the vulnerabilities, given a severity rating of “Critical” by Google, relates to a flaw that could allow an attacker, within range of a device’s Bluetooth signal, to run malicious code without requiring any interaction from the user.
Researchers at ERNW, who discovered the security vulnerability (dubbed CVE-2020-0022), described it as follows:
“On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).”
Worryingly, Android 8.0-9.0 account for over 60% of the Android devices in use.
The researchers go on to explain that for technical reasons the vulnerability cannot be exploited on Android 10, but may cause the Bluetooth daemon to crash. It is not yet known if versions of Android prior to 8.0 are at risk.
ERNW reported the vulnerability to Google on November 3, 2019, since when a patch has been in the works.
Google informed other Android device manufacturers of the issue one month ago, and has gone public this week with security patches for its own-branded devices, such as the Google Pixel. Other patches included in the security update protect against other Android bugs that range in severity from “moderate” to “critical”.
Clearly the best thing for Android users to do is to install the latest available security patch onto their smartphones and tablets. Problems occur, however, if you happen to use a device from a manufacturer who has not yet rolled out the security update, or if your Android device is no longer officially supported.
If that’s true for you, you might want to consider disabling Bluetooth on your device until a proper fix becomes available for you. If you really must enable Bluetooth, remember to turn it off afterwards.
The researchers at ERNW say that they will release more technical information on the vulnerability, including proof-of-concept code, as soon as they feel confident that patches have reached end users.
Given the history of how long some Android phones remain active on the internet with obsolete and bug-ridden versions of their operating system I don’t know how they can ever feel that it’s safe to do so.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.