Google releases a fix for the security hole that, if left unplugged, could allow attackers to run malicious code with no user interaction
Google has rolled out a security update to address a critical flaw in Android’s Bluetooth implementation that allows remote code execution without user interaction.
The vulnerability, tracked as CVE-2020-0022, affects devices running Android Oreo (8.0 and 8.1) and Pie (9.0). For these devices, which between them account for almost two-thirds of Android devices in use, the flaw is rated critical by Google.
According to German IT security provider ERNW, which discovered the ‘wormable’ security hole and reported it to Google three months ago, the bug could be exploited to pilfer personal data or distribute malware. Attackers could “silently execute arbitrary code with the privileges of the Bluetooth daemon”, said the company.
“No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the Wi-Fi MAC address”. Obviously attackers also need to be within close proximity of the targeted device and the phone or tablet has to be in discoverable mode.
The bug is much less of a problem for Android 10, where it cannot be exploited and leads ‘only’ to a crash of the Bluetooth daemon. Android versions older than 8.0 were not tested.
ERNW stopped short of describing the bug in detail or shari ..
Support the originator by clicking the read the rest link below.
