A recent warning published by security researchers at ERNW, some unpatched Android devices might be infected with malware via Bluetooth.
It seems that hackers can never run out of different ways to target people and infect their devices with malicious software. New vulnerabilities are being reported all the time, and the most recent one involves quite a lot of people who use Android phones.
— Engadget (@engadget) February 9, 2020
According to researchers from ERNW, a new vulnerability known as BlueFrag has been identified. The vulnerability seems to be targeting devices that run Android OS. Two versions of the system were found to be vulnerable — Android 8 Oreo and Android 9 Pie. Those who have these versions of Android OS could be infected with malware via Bluetooth, as researchers warn.
In their post, researchers noted that all that the hackers need to know is the Bluetooth MAC address of their target’s device. At times, this can even be guessed simply by looking at the Wi-Fi MAC address. Furthermore, the approach is rather stealthy, so targets might not even realize that their devices are being infected.
Researchers only confirmed the two mentioned versions of Android OS to be infected, although they claim that older versions might be flawed, as well. However, those who have Android 10 on their devices cannot be harmed in this way.
Fortunately, it is possible to protect vulnerable devices by installing a security patch published in February 2020. Another advantage that potential victims have is the fact that they would need to be in Bluetooth range in order for an attack to work. Even so, this means that anyone without a proper patch is vulnerable in public spaces.
There is another issue, however, which lies in the fact that a lot of devices that could be affected have either lost software updates, or they do not receive them on regular basis, at all. After all, Google only requires that phone makers provide updates for two years. Even that policy is relatively new, coming into effect in early 2019.
Since Android 8 has already passed its two-year mark, a fix for this flaw might never arrive for the device. Furthermore, vendors are also given 90 days to issue the patch, so users could remain vulnerable for up to three months, even if the patch does eventually arrive.
Images are courtesy of Twitter, Shutterstock, Pixabay.