Android security flaw lets attackers send malware over Bluetooth

There is a patch, but not everyone can get it.

If you're using a not-quite current Android phone, you'll probably want to check for an update. Security researchers at ERNW have detailed a vulnerability, BlueFrag, that lets attackers silently deliver malware to and steal data from nearby phones running Android 8 Oreo or Android 9 Pie. The intruder only needs to know the Bluetooth MAC address of the target, and that's sometimes easy to guess just by looking at the WiFi MAC address. You won't even know the attack is happening, ERNW said.

BlueFrag doesn't work with Android 10. It's possible that versions before Android 8 are affected, but the team hadn't "evaluated the impact" on older releases.

You can protect yourself by installing the February 2020 security patch, and the Bluetooth nature of the flaw means that you'll have to be relatively close to an attacker. This will mainly be a concern in public spaces where there's an abundance of targets.

The problem, as you might imagine, is that many of the affected devices have either lost software updates or don't receive them consistently. Google only requires popular phone makers to provide security updates for two years, and that policy appears to have been enforced at the start of 2019. Given that Android 8 is easily past that two year mark, you might never get a BlueFrag fix if your phone is old enough. The requirements also let vendors go up to 90 days before patching a flaw. That could leave users vulnerable for months even if they are slated to get security updates. When most Android users are historically likely to be running a version of Android earlier than 10, that could leave many people exposed for years to come.