Update Android to Fix a Major Bluetooth Bug

Anyone with an older Android device running Android 8 or 9 needs to be wary of using Bluetooth. A bug was discovered by cyber-security firm ERNW that allows anyone within range of a Bluetooth-enabled Android device to gain access to the device’s storage.

The hacker will need to know some extra details about the device—specifically its Bluetooth MAC address—before they can fully access the internal storage remotely, but as the ENRW’s bug report explains, that’s relatively easy to figure out. And once they’re in, an attacker could easily lift personal files and install malware or other spyware on the device without ever alerting the phone’s user.

The February 2020 Android security patch includes a fix for this bug, so you should download and install the patch if it’s available for you via the standard Android system update process.

ENRW’s bug report also notes that versions of Android even older than 8.0 could also suffer from the Bluetooth vulnerability, but those versions have not been tested. The bug also exists on Android 10, but it can’t be exploited, so there’s no risk there (though Android 10 users should still install the security update, since it includes other fixes).

If you can’t install the February 2020 security update because your Android is too old, the next-best solution is to stop using Bluetooth. This makes it impossible for hackers to use the exploit against you, though it also disables your ability to use Bluetooth accessories. (Hopefully your device still has a 3.5mm headphone jack.)

Otherwise, consider turning off your device’s Bluetooth discoverability—if possible—or make a mental note to flick off Bluetooth via the status bar, or what you see when you swipe down from the top of your screen, whenever you’re not using it.