Researchers at ERNW Insulator, a German security firm have found a crucial vulnerability that lets attackers run malicious code on some Android devices. The vulnerability CVE-2020-0022 – BlueFrag has now been patched in the latest February 2020 security update.
If left unpatched, BlueFrag lets malicious actors steal personal data from your Android phone running Oreo 8.0 and Pie 9.0 without user interaction. The attacker just needs to be in the Bluetooth range along with the Bluetooth MAC address of your device to take over your phone.
The researchers have not published a technical report detailing the vulnerability so far as attackers could take advantage of the details. They aim to release the description and proof of concept code of the vulnerability once OEMs push security patches to their devices.
You probably need not worry about BlueFrag if your phone is running Android 10. The researchers mention that the exploit does not affect Android 10 as it results in a Bluetooth crash when they tested. The report states that devices running Android versions below Oreo 8.0 could also be affected by the vulnerability and hence, it is recommended to update your smartphone to the latest security patch (if available) to stay safe.
With that said, it is worth pointing out that most Android phones running on Android Oreo probably would have reached EOL in terms of software updates and security patches. In that case, your handset would be left vulnerable forever, if brands don’t take an initiative to roll out this patch to all the discontinued devices.
If your device has not received the February security patch so far, the security firm recommends switching on Bluetooth only when in use, and keeping your device non-discoverable.