If you are using a phone with Android 8.0 Oreo or 9.0 Pie, we recommend installing the latest security update right away.
The reason? There is a security flaw that a group of researchers says can be exploited via Bluetooth to silently hack smartphones.
Here's all you need to know about the bug in question and its impact.
BlueFrag vulnerability allowing code execution over Bluetooth
As first reported by the researchers at IT security firm ERNW, smartphones running Android 8.0 and 9.0 carry a security flaw that enables remote code execution over Bluetooth.
The group denied sharing specific details but claimed that a threat actor can use this bug, dubbed BlueFrag, to infect your phone (if nearby) with malware and then use it to steal your data like photos/videos.
Here's what the researchers said about the bug
According to the researchers, on Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled.
Everything happens covertly, no user interaction needed
The research team claimed that BlueFrag compromises the phone without any sign, so you won't know when the attack is happening, and the hacker doesn't even have to interact with it.
They just have to be near the target device and know its Bluetooth MAC address, which can be deduced from the Wi-Fi MAC address (although it is not easy to determine it).
Android 10 not affected, but older versions can be
Apart from Oreo and Pie, older versions of Android may also be vulnerable.
However, that still needs to be confirmed, as the researchers claim they only evaluated the latest iterations of Android and not the older ones.
They also emphasized that Android 10 remains completely unaffected from the issue; trying this attack on Android 10 simply results in crashing its Bluetooth stack.
Installing latest security update is the fix
The fix for this issue comes with the February 2020 security update.
This means you'd either have to update to Android 10 or install the latest security patch to protect your phone.
If the update is not available, you don't have to rush to buy a new phone, as there are no reports of active exploits yet.