Latest in Gear

Image credit: Chris Velazco/Engadget

Android security flaw lets attackers send malware over Bluetooth

There is a patch, but not everyone can get it.
407 Shares
Share
Tweet
Share

Sponsored Links

Chris Velazco/Engadget

If you're using a not-quite current Android phone, you'll probably want to check for an update. Security researchers at ERNW have detailed a vulnerability, BlueFrag, that lets attackers silently deliver malware to and steal data from nearby phones running Android 8 Oreo or Android 9 Pie. The intruder only needs to know the Bluetooth MAC address of the target, and that's sometimes easy to guess just by looking at the WiFi MAC address. You won't even know the attack is happening, ERNW said.

BlueFrag doesn't work with Android 10. It's possible that versions before Android 8 are affected, but the team hadn't "evaluated the impact" on older releases.

You can protect yourself by installing the February 2020 security patch, and the Bluetooth nature of the flaw means that you'll have to be relatively close to an attacker. This will mainly be a concern in public spaces where there's an abundance of targets.

The problem, as you might imagine, is that many of the affected devices have either lost software updates or don't receive them consistently. Google only requires popular phone makers to provide security updates for two years, and that policy appears to have been enforced at the start of 2019. Given that Android 8 is easily past that two year mark, you might never get a BlueFrag fix if your phone is old enough. The requirements also let vendors go up to 90 days before patching a flaw. That could leave users vulnerable for months even if they are slated to get security updates. When most Android users are historically likely to be running a version of Android earlier than 10, that could leave many people exposed for years to come.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
407 Shares
Share
Tweet
Share

Popular on Engadget

Blizzard's cancelled 'StarCraft: Ghost' leaks in playable form

Blizzard's cancelled 'StarCraft: Ghost' leaks in playable form

View
The Galaxy Z Flip's glass screen isn't very durable

The Galaxy Z Flip's glass screen isn't very durable

View
New York AG won't keep fighting T-Mobile merger with Sprint

New York AG won't keep fighting T-Mobile merger with Sprint

View
Tesla ordered to halt early work on its German Gigafactory

Tesla ordered to halt early work on its German Gigafactory

View
'Sonic the Hedgehog' breaks record for a video game movie debut

'Sonic the Hedgehog' breaks record for a video game movie debut

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr