Stock image of Android smartphone

Android users urged to update to avoid ‘critical’ Bluetooth vulnerability

Security failure let hackers silently install malware on target phones

Like GearBrain on Facebook

Android users are urged to install the latest February software update to their smartphones, after a Bluetooth security flaw was discovered by cybersecurity researchers.

The flaw was found on versions 8.0 and 9.0 of Android, also known as Oreo and Pie, which despite not being the latest version of Android, are still installed on millions of smartphones all over the world.

Read More:

Described as a "critical Bluetooth vulnerability," the flaw, known as BlueFrag, was discovered by ERNW, an IT security company. The flaw allows an attacker within Bluetooth range of an Android 8.0 or 9.0 smartphone to hack into and potentially steal personal data from a victim's smartphone or spread malware, all without them noticing.

Nokia 6.2 - Android 9.0 Pie - 64 GB - Triple Camera - Unlocked Smartphone (AT&T/T-Mobile/MetroPCS/Cricket/Mint) - 6.3" FHD+ HDR Screen - Ice Blue - U.S. Warranty

The hacker only needs to know the Bluetooth MAC address of the target phone, which can easily be guessed by looking at the device's Wi-Fi MAC address; this can be done simply by being close enough to connect to the phone. This is the kind of attack that is simple to perform in busy public spaces, like cafes and bars.

ERNW disclosed the vulnerability to Google in November 2019 and a patch was released for Android users in February 2020. The company says it expects users to begin installing the patch in meaningful numbers in the next two to three weeks.

Although the latest version 10.0 of Android isn't affected, Google has a poor track record for getting its users to upgrade, with millions of handsets likely still running older versions, and even those before Android 8.0, which could also be vulnerable to BlueFrag. Indeed, after Android 10.0 arrived in September 2019, the most-used version was 6.0 Marshmallow, appearing on 17 percent of devices.

Googleplex - Google Headquarters with Android figureAndroid updates often to take to arrive on users' phones Getty Images

Compounding the issue is how Google doesn't send software updates directly to users. Instead, they are distributed by phone manufacturers, and under Google rules they only have to offer updates for two years after a phone is launched. They also have 90 days to patch Android flaws, meaning users could potentially be vulnerable to BlueFrag until early May.

Users are strongly advised to install the update. But if it isn't available for them yet (or if they are using an older handset that is no longer supported), ERNW suggests they only enable Bluetooth when strictly necessary, and keep the device non-discoverable, which means not leaving the Bluetooth settings page open for longer than necessary.

ERNW isn't sharing any more information about how it discovered the flaw, or exactly how it can be exploited, until it is confident that most Android users have installed the patch.

Mobvoi Ticwatch E (Express) Smartwatch 44mm Polycarbonate - Black TicWatch E shadow (Renewed)

Like GearBrain on Facebook
The Conversation (0)

GearBrain Compatibility Find Engine

A pioneering recommendation platform where you can research, discover, buy, and learn how to connect and optimize smart devices.

Join our community! Ask and answer questions about smart devices and save yours in My Gear.

Top Stories

Weekly Deals