Critical Android Bluetooth Flaw Exploitable without User Interaction

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Content source
https://www.bleepingcomputer.com/news/security/critical-android-bluetooth-flaw-exploitable-without-user-interaction/
Android users are urged to apply the latest security patches released for the operating system on Monday that address a critical vulnerability in the Bluetooth subsystem.

An attacker could leverage the security flaw, now identified as CVE-2020-0022 without user participation to run arbitrary code on the device with the elevated privileges of the Bluetooth daemon when the wireless module is active.

Short-distance worm

Discovered and reported by Jan Ruge at the Technische Universität Darmstadt, Secure Mobile Networking Lab, the bug is considered critical on Android Oreo (8.0 and 8.1) and Pie (9) because exploiting it leads to code execution.

According to Ruge, attackers could use this security fault to spread malware from one vulnerable device to another, like a worm. However, the transmission is limited to the short distance covered by Bluetooth.

The Android security bulletin notes that CVE-2020-0022 "could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process."
...
...
Click to expand...
On Android 10, the severity rating drops to moderate since it all it does is crash the Bluetooth daemon, the researcher says. Android versions earlier than 8.0 may also be affected but the impact on them has not been assessed.
Click to expand...
 
  • Like
  • +Reputation
Reactions: SunMan09, [correlate], upnorth and 2 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Haven't even got the January patch yet. 🙄

Hopefully I'll get the Android 10 upgrade soon enough, at least this month as that's what my vendor officially announced. 🤞
  • Only enable Bluetooth if strictly necessary. Keep in mind that most Bluetooth enabled headphones also support wired analog audio.
  • Keep your device non-discoverable. Most are only discoverable if you enter the Bluetooth scanning menu. Nevertheless, some older phones might be discoverable permanently.
Click to expand...

Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag

On November 3rd, 2019, we have reported a critical vulnerability affecting the Android Bluetooth subsystem. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020. The security impact is as follows: On Android 8.0 to 9.0, a...
insinuator.net insinuator.net
Checked on the non-discoverable setting and nope don't have that. Then again, I don't have Bluetooth enabled 24/7. :coffee:
 
  • Like
Reactions: [correlate]
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Correct, but I have to trace that in the battery consumption feature. Right now Bluetooth it's not even on the list. 🥳
 
  • Like
Reactions: [correlate]
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
    • Thanks
Security News Critical Bluetooth Flaw Exposes Android, Apple & Linux Devices to Takeover
Replies
0
Views
1,177
Security News
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
    • +Reputation
Security News December Android updates fix critical zero-click RCE flaw
Replies
0
Views
1,323
Security News
Gandalf_The_Grey
Gandalf_The_Grey
[correlate]
    • Like
    • +Reputation
Active Mirai Botnet Variant Exploiting Zyxel Devices for DDoS Attacks
Replies
0
Views
820
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top