The bug first caught the attention of security researcher Jan Ruge from Technische Universität Darmstadt, Secure Mobile Networking Lab. Sharing his findings in a blog post, the researcher stated,
A remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known.The bug predominantly affected Android 8.0 to 9.0, where an attacker could exploit the flaw to steal user data or spread malware. However, in the case of Android 10, exploiting this vulnerability could only lead to the crashing of the Bluetooth daemon.
The researcher did not evaluate the vulnerability and subsequent exploit for Android versions older than 8.0. So, it is possible that the same flaw may also affect older Android devices as well.
As stated in their Android bulletin,
The most severe vulnerability… could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.The bulletin labels this vulnerability as a critical severity flaw in the case of Android 8.0, 8.1, and 9.0. Whereas, for Android 10, Google dubbed it a moderate severity bug.
Since Google have just released the patches, users of Android 8.0 and above must ensure they update their devices to the latest versions. Users of older Android versions must stay vigilant when using Bluetooth connectivity on their devices. They should keep their devices non-discoverable and should enable Bluetooth only when required.
Let us know your thoughts in the comments.