If you’ve got an Android phone and haven’t downloaded the February 2020 security patch yet, you should probably do so soon.
Security researchers at ERNW, a German-based IT security service provider, detailed a vulnerability called BlueFrag in a post on their website. BlueFrag could allow attackers to silently deliver malware to an Android phone. Further, it could allow attackers to steal data from an Android device without the owner ever knowing.
However, the vulnerability is only present on phones running Android 8.0 Oreo and Android 9 Pie. ERNW says it’s possible the vulnerability is in older versions of Android as well, but it hadn’t “evaluated the impact” on older releases.
For attackers to make use of BlueFrag, they only need to know a device’s Bluetooth MAC address, which can be easy to guess by looking at the Wi-Fi MAC address. Fortunately, because the vulnerability relies on Bluetooth, an attacker would need to be fairly close by to make this work. Ultimately, this is a concern when spending time in a public space, such as a coffee shop, where an attacker would have both proximity to you and potential access to the device information needed to initiate an attack.
BlueFrag doesn’t work on devices running Android 10. Additionally, Google patched the vulnerability with the latest February security patch. Unfortunately, that’s also a problem since Google’s policies require that manufacturers provide at least two years of security updates. Since Android 8 is passed that two-year mark, most phones that ran Android 8 may not get the new security patch with the fix.
Further, manufacturers have up to 90 days to patch a flaw, which could leave users vulnerable for months even if they are slated to get the update.
ERNW says it won’t publish a technical report about the vulnerability until it’s confident patches have reached users. But with the way Android updates work, it could be years before enough people are protected.
Thankfully, ERNW also shared tips users can take to protect themselves until they get a patch. To start, ERNW suggests that users only enable Bluetooth when strictly necessary. It also advises that users keep their devices ‘non-discoverable.’ However, that option may not be available on older phones.