Google has fixed a critical security flaw in Android smartphones that would have allowed attackers to gain access to your data through Bluetooth. The fix is available through Android February 2020 Security Bulletin which has already begun rolling out. The exploit was discovered in older versions of Android such as Android 9 and Android 8.
The security flaw was discovered by researchers at ERNW, a Germany-based cyber security firm. Google has assigned this vulnerability CVE-2020-0022 and is part of the latest February security patch for the Android users.
ERNW security researchers report that the vulnerability allowed attackers to target phones running on Android 8.0 or Android 9.0 by quietly executing an arbitrary code with the “privileges of the Bluetooth daemon as long as Bluetooth is enabled.” Researchers added that the hack didn’t require any action from user until Bluetooth is turned on.
“No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm),” said security researchers in a post.
Researchers, however, noted that they could not replicate the same hack for phones run on Android 10, but the vulnerability existed in the newer version as well. But they cautioned, the Android versions even older than 8.0 may be affected by the vulnerability.
Users with Android 8 or 9 are recommended to download the latest February 2020 security patch to have the flaw fixed. In case, you haven’t received the update yet, you can turn off Bluetooth unless you’re actually using the feature, say pairing a device. As suggested by CNET, you can change the Settings to ensure your device is not discoverable to others via Bluetooth.