Google has now launched this month’s routine security updates for Android. Of course, as you know most devices cannot install these critical security updates in a timely manner.
After Google released the update, researchers reveal the key flaw of the Bluetooth module (CVE-2020-0022) in Android, in which an attacker could execute arbitrary code without interaction.
Strictly speaking, remote execution of arbitrary code without user interaction is extremely harmful, but fortunately, this vulnerability must be launched by the attacker in the physical environment.
In other words, an attacker needs to use Bluetooth scanning in at least one physical environment to search for specific devices and then launch attacks on these devices.
The vulnerability was discovered by Jan Ruge from the Technische Universität Darmstadt, Secure Mobile Networking Lab. The vulnerability has a critical impact on Android 8.0, 8.1 and 9 series. Attackers can use the vulnerability to transmit worms to affected devices.
But the attacker wants to launch the attack must be in the physical environment and subject to the influence of the Bluetooth transmission distance, so the attacker cannot use the vulnerability to launch the attack widely. Although this vulnerability does not require any action by the user, that is, it can be launched without the user’s full awareness, but it is more difficult to exploit.