BlueFrag security vulnerability allows code execution over Bluetooth on some Android devices

The importance of receiving Android’s monthly security updates cannot be overstated. If you need another example for why that is, look no further than CVE-2020-0022 — a new vulnerability that allows code execution over Bluetooth connections on some Android devices.

The security hole was discovered by ERNW, an IT security firm operating in Heidelberg, Germany. Here’s how the vulnerability was described by the company:

On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm).

The full details haven’t been published yet, but the fix is included in the February 2020 security patch. You’re also safe if your phone or tablet has been updated to Android 10 — the vulnerability has no effect on that version besides crashing Android’s Bluetooth stack.

If your device is still on Android 9 Pie or below, you probably still don’t have much to worry about — finding the Bluetooth MAC address isn’t always a simple task.