Security researchers at the ERNW, a German-based firm that specializes in IT security, recently pointed out a vulnerability dubbed as the BlueFrag. This security flaw allows hackers to silently deliver malware to the victim’s phone via Bluetooth.

The hackers only need the Bluetooth MAC address of the target, which is quite easy to guess if one knows the WiFi MAC address. According to the researchers, the victim will not even know the attack is happening. This security flaw only affects smartphones running Android 8 Oreo or Android 9 Pie. Moreover, the attacker needs to be in the vicinity of the victim. Hence, Android 8 and Android 9.0 Pie users are vulnerable when in public spaces.

Users can protect themselves by installing the February 2020 security patch. However, the main problem is that the affected devices have either not received consistent updates or the software updates were lost.

As per Google’s policy, it only requires OEMs to provide security updates for two years and considering Android 8 is past that two-year mark, its users will most likely never get a BlueFrag fix. Apart from this, Google lets the vendors go up to 90 days before patching a flaw. Thus, users can be left vulnerable for months before getting a security update. Android 10 users, on the other hand, are safe. ERNW has also said that Android versions before Android 8 could be affected as well but the team has not evaluated them for impact.