Android App Created for Bluetooth Spam Attacks

Recently, enthusiasts added a Bluetooth attack feature to the alternative Xtreme firmware for Flipper Zero, allowing Bluetooth spam attacks on Android and Windows devices. Now, this functionality has been separated into a standalone Android app, so you no longer need a Flipper device to organize Bluetooth spam.

It all began in September 2023, when cybersecurity specialist Techryptic demonstrated that Flipper Zero could disrupt iPhone operation by sending numerous fake Bluetooth device connection requests. Techryptic’s idea quickly gained popularity, and Xtreme firmware developers soon expanded the Bluetooth attack feature to target Android and Windows devices as well.

According to Bleeping Computer, inspired by previous research and Flipper Zero solutions targeting iOS, Android, and Windows, developer Simon Dankelmann created a separate Android app capable of similar Bluetooth spam attacks. Specifically, the app can broadcast connection requests at intervals as short as one second, using Fast Pair for Android and Swift Pair for Windows.

Technical Limitations and Test Results

Journalists note that while the Android API allows developers to set the transmission power (TX) level, there is limited control over the actual data transmitted, depending on the TX power. This Android SDK limitation can result in poor signal reception by target devices. In contrast, Flipper Zero does not have this issue, as the device can operate over a wider and more precise range when connecting to other devices.

Tests showed that some messages were only received by target devices if the Android device generating them was just a few centimeters away. In other cases, notifications worked at distances of several meters.

Side Effects and Mitigation

Interestingly, the app was found to have a side effect: Bluetooth-connected devices such as mice and keyboards may stop responding during a Bluetooth spam attack. This could become another vector for denial-of-service attacks.

Currently, the app is still in development and mainly demonstrates the potential of such attacks rather than posing a real threat to users. However, it’s worth noting that Bluetooth connection request notifications can be easily disabled in Android and Windows settings.

• On Android: Go to Settings > Connected Devices > Connection preferences > Nearby Share to disable notifications.
• On Windows: Go to Settings > Bluetooth & devices > Devices, scroll down to Device settings, and switch off Show notifications to connect using Swift Pair.