A new critical flaw affects Bluetooth on Android. If Google has already released a patch, not all smartphones have received the update yet. Specialists advise to temporarily deactivate Bluetooth.

Google seems determined to maintain the myth around the security of Android. Often criticized, the little green robot continues its momentum. For the second time in a week, Google’s OS is experiencing security issues. After infected apps from the Play Store, researchers discovered a flaw in the Bluetooth subsystem.

Kan Ruge, a researcher at ERNW, reveals on the blog of this German security company that this flaw (CVE-2020-0022) allows to execute code remotely. By exploiting the vulnerability in the Bluetooth subsystem, an attacker could take control of a smartphone or tablet without interaction from its owner. The only mandatory prerequisite: have the Bluetooth MAC address which can be inferred from the Wi-Fi MAC address (on some terminals).

If the security researcher ensures that Android 10 is spared, versions 8.0 and 9.0 are affected. Previous versions are potentially affected by this vulnerability, but the researcher remains cautious since he has not evaluated them.

Google says it has already fixed the flaw and released a fix. Be careful though: only Pixels can install the security update. For the others, you will have to wait and desperately consult your “updates” tab in the settings of your device.

As the flaw mainly concerns models running Android 8.0 and 9.0, a significant number of terminals no longer receive security patches. In summary, these smartphones and tablets remain vulnerable.

For these cases, the researchers indicate two methods to protect themselves from an attack. The most radical is to completely disable the Bluetooth connection. The most recommended to continue using your terminal daily: deactivate the option making your mobile visible to nearby devices.

security patch details