Android users at risk from Bluetooth hijack attack, and are warned of “short distance worm” threat

Graham Cluley
@gcluley


Google has issued a security bulletin regarding vulnerabilities in the Android operating system that could put users’ devices at risk.

One of the vulnerabilities, given a severity rating of “Critical” by Google, relates to a flaw that could allow an attacker, within range of a device’s Bluetooth signal, to run malicious code without requiring any interaction from the user.

Researchers at ERNW, who discovered the security vulnerability (dubbed CVE-2020-0022), described it as follows:

“On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).”

Sign up to our newsletter
Security news, advice, and tips.

Worryingly, Android 8.0-9.0 account for over 60% of the Android devices in use.

Android OS version marketshare worldwide, February 2020. Source: gstatcounter.com

The researchers go on to explain that for technical reasons the vulnerability cannot be exploited on Android 10, but may cause the Bluetooth daemon to crash. It is not yet known if versions of Android prior to 8.0 are at risk.

ERNW reported the vulnerability to Google on November 3, 2019, since when a patch has been in the works.

Google informed other Android device manufacturers of the issue one month ago, and has gone public this week with security patches for its own-branded devices, such as the Google Pixel. Other patches included in the security update protect against other Android bugs that range in severity from “moderate” to “critical”.

Clearly the best thing for Android users to do is to install the latest available security patch onto their smartphones and tablets. Problems occur, however, if you happen to use a device from a manufacturer who has not yet rolled out the security update, or if your Android device is no longer officially supported.

If that’s true for you, you might want to consider disabling Bluetooth on your device until a proper fix becomes available for you. If you really must enable Bluetooth, remember to turn it off afterwards.

The researchers at ERNW say that they will release more technical information on the vulnerability, including proof-of-concept code, as soon as they feel confident that patches have reached end users.

Given the history of how long some Android phones remain active on the internet with obsolete and bug-ridden versions of their operating system I don’t know how they can ever feel that it’s safe to do so.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One comment on “Android users at risk from Bluetooth hijack attack, and are warned of “short distance worm” threat”

  1. Wishing for my old Blackberry….
    Sadly to go out of production this summer.
    Now there was a company that knew how to make a phone.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.