Security failure let hackers silently install malware on target phones
Android users are urged to install the latest February software update to their smartphones, after a Bluetooth security flaw was discovered by cybersecurity researchers.
The flaw was found on versions 8.0 and 9.0 of Android, also known as Oreo and Pie, which despite not being the latest version of Android, are still installed on millions of smartphones all over the world.
Described as a "critical Bluetooth vulnerability," the flaw, known as BlueFrag, was discovered by ERNW, an IT security company. The flaw allows an attacker within Bluetooth range of an Android 8.0 or 9.0 smartphone to hack into and potentially steal personal data from a victim's smartphone or spread malware, all without them noticing.
Nokia 6.2 - Android 9.0 Pie - 64 GB - Triple Camera - Unlocked Smartphone (AT&T/T-Mobile/MetroPCS/Cricket/Mint) - 6.3" FHD+ HDR Screen - Ice Blue - U.S. Warranty
The hacker only needs to know the Bluetooth MAC address of the target phone, which can easily be guessed by looking at the device's Wi-Fi MAC address; this can be done simply by being close enough to connect to the phone. This is the kind of attack that is simple to perform in busy public spaces, like cafes and bars.
ERNW disclosed the vulnerability to Google in November 2019 and a patch was released for Android users in February 2020. The company says it expects users to begin installing the patch in meaningful numbers in the next two to three weeks.
Although the latest version 10.0 of Android isn't affected, Google has a poor track record for getting its users to upgrade, with millions of handsets likely still running older versions, and even those before Android 8.0, which could also be vulnerable to BlueFrag. Indeed, after Android 10.0 arrived in September 2019, the most-used version was 6.0 Marshmallow, appearing on 17 percent of devices.
Compounding the issue is how Google doesn't send software updates directly to users. Instead, they are distributed by phone manufacturers, and under Google rules they only have to offer updates for two years after a phone is launched. They also have 90 days to patch Android flaws, meaning users could potentially be vulnerable to BlueFrag until early May.
Users are strongly advised to install the update. But if it isn't available for them yet (or if they are using an older handset that is no longer supported), ERNW suggests they only enable Bluetooth when strictly necessary, and keep the device non-discoverable, which means not leaving the Bluetooth settings page open for longer than necessary.
ERNW isn't sharing any more information about how it discovered the flaw, or exactly how it can be exploited, until it is confident that most Android users have installed the patch.
Mobvoi Ticwatch E (Express) Smartwatch 44mm Polycarbonate - Black TicWatch E shadow (Renewed)