Google this week released a report regarding Android security and announced 13 vulnerabilities got patched. A major Bluetooth vulnerability that affects Android 8, 8.1, and 9 and can be remotely executed by users’ authority is included. Among the vulnerabilities patched this month, the most serious is the vulnerability numbered CVE-2020-0022. It was discovered by the German security vendor last November and affects the Android Bluetooth subsystem. On Android 8.0 and 9.0, if the user’s mobile phone has Bluetooth turned on, an attacker located near the user can use the permissions of the Bluetooth daemon program to secretly execute arbitrary code. This can steal personal information and even promote the spread of worm programs. The security impact of this vulnerability is as follows:
- In Android 8.0 to 9.0 systems, with Bluetooth enabled, a remote attacker can silently execute arbitrary code with the permissions of the Bluetooth daemon within a certain distance. The entire process does not require user interaction as attackers only need to know the Bluetooth MAC address of the target device. For some devices, the MAC address of Bluetooth can be calculated from the WiFi MAC address.
- In Android 10, the vulnerability cannot be exploited, but it may cause the Bluetooth daemon to crash.
- The vulnerability also affects users in versions lower than Android 8.0, but the researchers did not evaluate the impact but said that it should also be affected.
Researchers strongly recommend that users install the official February patch. If users cannot install the patch or the device is no longer supported, users can try some general methods:
- DO NOT leave Bluetooth on if not necessary. Note that most Bluetooth headsets support wired analog audio.
- Set the device Bluetooth to invisible. The device is only visible when set in the Bluetooth scan menu, even though some old versions may have to stay visible all the time.
Solving Your Cybersecurity Issues