PoC to takeover Android using another Android by exploiting critical Bluetooth vulnerability to install #Metasploit payload without proper Bluetooth pairing (CVE-2023-45866) It still affects Android 10 and bellow #NetHunter

In a different 0-click exploit scenario: It is also possible to lock-out user from its smartphone by brute-forcing a lock-screen passcodes in a loop to trigger 30 seconds and then 60 seconds timeout. Injected key-presses are typed way faster then user taps to unlock the device.

How to prevent becoming a victim: 1) For Android 10 and below, the security patch is not available - so, turn off Bluetooth if not used 2) Android 11 and above, install 2023-12-05 security patch (if OEM already pushed it) 3) Don't start Discoverable Mode to disclose MAC address

Is victim interaction required for accept the bluetooth connect with the attacker device?

No. The exploit enforces the Bluetooth pairing without any victim interaction

Keep up the good work! Hope to see a new PoC video on macOS, iOS and Windows ;)

can you share the script to inject the metasploit payload? thanks

Since many of Android devices are still vulnerable without option to patch this issue, I decided not to share the PoC script to inject the metasploit payload. I hope you understand my concerns.

🔥

How to detect is metasplpot was installed or not?

🔥 But Target device rooted ?

It doesn't matter if target is rooted or not. It affects Bluetooth protocol of devices running Android version 10 and below