Android users are urged to apply the latest security patches released for the operating system. An attacker could leverage the security flaw, now identified as CVE-2020-0022 without user participation to run arbitrary code on the device. The bug is considered critical on Android Oreo (8.0 and 8.1) and Pie (9) because exploiting it leads to code execution. Attackers could use this security fault to spread malware from one vulnerable device to another, like a worm. The only prerequisite for exploiting the issue is knowing the Bluetooth MAC address.
Source: https://www.bleepingcomputer.com/news/security/critical-android-bluetooth-flaw-exploitable-without-user-interaction/