Therefore, this privilege allows management of other packages / applications.Īllows an application to read, send, or modify SMS messages. On Android, most apps/packages run under their own separate ‘user’ account, identified by a userId / UID / appId / AID. This permission is not available to third party applications. Allows apps to manage users on the device, including query, creation and deletion. And definitely not the kinds of things that I would want to see many phones doing simultaneously due to a wormable infection.Īllows low-level access to power managementĪllows access to the list of accounts in the Accounts Service.Īllows an application to call APIs that allow it to query and manage users on the device. Definitely not the kinds of things I would want to allow an attacker to do on my phone.
Some of these permissions (while not root level access) are fairly powerful. This is what I found for the current version of the Bluetooth app:Ī_BLUETOOTH_SHAREĪ_COARSE_LOCATIONĪ_ACROSS_USERS_FULLĪ_ALWAYS_REPORTED_SIGNAL_STRENGTHĪ_PRIVILEGED_PHONE_STATEĪ_BOOT_COMPLETEDĪ_BLUETOOTH_DEVICEĪ_EXTERNAL_STORAGE I did a bit of searching to see what permissions the Bluetooth process has, since if an attacker is allowed to execute code running as this process, this would define what a potential attacker is able to do. Nevertheless, some older phones might be discoverable permanently.Īs soon as we are confident that patches have reached the end users, we will publish a technical report on this vulnerability including a description of the exploit as well as Proof of Concept code. Most are only discoverable if you enter the Bluetooth scanning menu. Keep in mind that most Bluetooth enabled headphones also support wired analog audio. Only enable Bluetooth if strictly necessary.
If you have no patch available yet or your device is not supported anymore, you can try to mitigate the impact by some generic behavior rules:
Users are strongly advised to install the latest available security patch from February 2020.
Android versions even older than 8.0 might also be affected but we have not evaluated the impact.On Android 10, this vulnerability is not exploitable for technical reasons and only results in a crash of the Bluetooth daemon.This vulnerability can lead to theft of personal data and could potentially be used to spread malware (Short-Distance Worm). For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address. No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled.This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020. On November 3rd, 2019, we have reported a critical vulnerability affecting the Android Bluetooth subsystem.