The February update of the Android platform eliminated a critical vulnerability (CVE-2020-0022) in the Bluetooth stack, allowing to organize remote code execution by sending a specially designed Bluetooth packet. The problem can be invisibly exploited by an attacker who is within the reach of Bluetooth. It is possible to exploit the vulnerability to create worms along the chain of attacking neighboring devices.
For the attack it is enough to know the MAC address of the victim device (no pre-pairing is required, but Bluetooth must be enabled on the device). On some devices, the Bluetooth MAC address can be calculated based on the Wi-Fi MAC address. If the vulnerability is successfully exploited, the attacker can execute his code with the rights of the background process coordinating Bluetooth in Android. The problem is specific to the Fluoride Bluetooth stack used in Android (based on Broadcom's BlueDroid project code) and does not manifest itself in the BlueZ stack used in Linux.
The researchers who identified the problem were able to prepare a working prototype of the exploit, but the details of the exploit will be revealed later, once the fix has been communicated to the bulk of users. It is only known that the vulnerability is present in packet rebuild code and is caused by incorrect calculation of L2CAP (Logical link control and adaptation protocol) packet size, if the data transmitted by the sender exceeds the expected size.
In Android 8 and 9 the problem may lead to code execution, but in Android 10 the problem is limited to the collapse of the Bluetooth background process. Older Android releases are potentially vulnerable to the problem, but the ability to exploit the vulnerability has not been tested. Users are advised to install the firmware update as soon as possible, and if this is not possible, disable Bluetooth by default, prohibit device detection and activate Bluetooth in public places only when absolutely necessary (including replacement of wireless headphones with wired ones).
In addition to the noted problem, the February security patch set for Android fixed 26 vulnerabilities, of which another vulnerability (CVE-2020-0023) was assigned a critical level of danger. The second vulnerability also affects Bluetooth stack and is related to incorrect processing of BLUETOOTH_PRIVILEGED privilege in setPhonebookAccessPermission. As for vulnerabilities marked as dangerous, 7 issues were fixed in frameworks and applications, 4 in system components, 2 in kernel and 10 in open and proprietary components for Qualcomm chips.