Researchers found a security flaw in Android’s security component that could lead to the potential data breach. The bug has been identified as CVE-2020-022 and was discovered by German security firm ERNW who then reported it to google. The bug majorly affects phones running on Android 8 Oreo and Android 9 pie. On Android 10 it just causes the Android daemon to crash with no other malicious output.
The bug only requires the device to have Bluetooth enabled from which the hacker can initiate malicious codes without any user interaction. With phones being connected to smartwatches, headphones and speakers, their Bluetooth is turned on most of the times making them even more vulnerable.
The attackers just need the Bluetooth MAC address that can also be deduced from the WIFI MAC address and have to be in close proximity to initiate the attack. According to the ERNW researchers, the bug allows the attackers to”silently execute arbitrary code with the privileges of the Bluetooth daemon.” The bug can eventually lead to the spread of malware to other devices and even compromise your personal data. This not only puts your data at risk but also others in your vicinity.
Google has addressed this on its February security bulletin and has released a firmware update to patch this bug on its proprietary nexus and pixel devices. Other manufacturers have been asked to do the same and push the update as soon as possible.
In the meantime, it is advised to disable your Bluetooth when not in use and update your phone to the latest firmware.