Security researchers at ERNW disclosed a vulnerability in Android bluetooth stack that lets attackers silently deliver malware to and steal data from nearby phones simply knowing the Bluetooth MAC address of the target (easy to guess just by looking at the WiFi MAC address).




The vulnerability, dubbed BlueFrag [1], affects Android 8 and 9, and doesn't work with Android 10 where cause a crash of Bluetooth daemon.
It's possible that versions before Android 8 are affected, but the team hadn't "evaluated the impact" on older releases.

According to the paper:

On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).

Due the Bluetooth nature of the flaw an attacker needs to be relatively close to the taget: this will mainly be a concern in public spaces.


Vulnerability details

Currently, ERNW doesn't published any technical information:

As soon as we are confident that patches have reached the end users, we will publish a technical report on this vulnerability including a description of the exploit as well as Proof of Concept code.

However, looking at the released patch [5], it seems to be related to send fragmented GAP ACL L2CAP data over HCI [4].


How to fix/mitigate?

This vulnerability has been assigned CVE-2020-0022 [2] and was patched by Google in the February 2020 security patch [3], so check updates on your device ASAP!

If you have no patch available yet or your device is not supported anymore, you can still try to mitigate the impact, enabling Bluetooth only if strictly necessary and keep your device non-discoverable.


References

  1. Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag
  2. CVE-2020-0022
  3. Android Security Bulletin—February 2020
  4. Full Disclosure: Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag
  5. 3cb7149d8fed2d7d77ceaa95bf845224c4db3baf - platform/system/bt - Git at Google