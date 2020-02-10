Advertisement

If you have an Android phone and have not yet downloaded the February 2020 security patch, you should probably do so soon.

Security researchers from ERNW, an IT security service provider based in Germany, described a security vulnerability called BlueFrag in a post on their website. With BlueFrag, attackers can transfer malware to an Android phone in the background. In addition, attackers could steal data from an Android device without the owner ever knowing.

However, the vulnerability only occurs on phones running Android 8.0 Oreo and Android 9 Pie. According to ERNW, the vulnerability may also be present in older versions of Android, but the impact on older releases has not been assessed.

In order for attackers to be able to use BlueFrag, they only need to know the Bluetooth MAC address of a device, which is easy to guess from the WLAN MAC address. Fortunately, since the vulnerability depends on Bluetooth, an attacker would need to be nearby for this to work. Ultimately, this is a problem when you are in a public space, such as a coffee shop, where an attacker can both nearby and potentially access the device information needed to trigger an attack.

BlueFrag does not work on Android 10 devices. In addition, Google has patched the vulnerability with the latest security patch for February. Unfortunately, this is also a problem because Google’s policies require manufacturers to provide security updates for at least two years. Since Android 8 has passed this two-year period, most phones running Android 8 may not get the new security patch with the fix.

In addition, manufacturers have up to 90 days to correct a problem. This can result in users being at risk for months, even if they want to get the update.

ERNW announces that it will not release a technical report on the vulnerability until the trusted patches reach users. However, when Android updates work, it can take years for enough people to be protected.

Fortunately, ERNW can also provide tips that users can use to protect themselves until they receive a patch. At first, ERNW recommends that you only activate Bluetooth if this is absolutely necessary. It is also recommended that users cannot discover their devices. However, this option may not be available on older phones.

Source: ERNW Via: Engadget

