Now Android and Windows devices aren’t safe from Flipper Zero either

The Flipper Zero can now carry out a denial of service attacks on Android devices.

Adrian Kingsley-Hughes/ZDNET

A few days ago, a custom third-party firmware for the Flipper Zero was released. The firmware could flood iPhones and iPads with spam Bluetooth messages, and it even had a feature that could cause the device to lock up completely. This left a few Android users feeling smug about the security of their chosen platform over that of iOS and iPadOS.

Well, now the Bluetooth spam application for the Flipper Zero can target Android devices and PCs running Windows.

Also: Flipper Zero can be used to crash iPhones running iOS 17, but there’s a way to foil the attack

Now, again, this trick isn’t possible with a stock Flipper Zero. Instead, you need to load a developer build of Xtreme third-party firmware onto the Flipper Zero. After the firmware has been installed, it’s a case of launching an app called BLE Spam and choosing the appropriate attack.

To flood Android devices with popups, the attack to choose is Android Device Pair. 

Press the Start button and popups begin to flood Android devices within range of the Flipper Zero.

Flooding an Android smartphone with popups using BLE Spam on the Flipper Zero.

Adrian Kingsley-Hughes/ZDNET

And the popups continue until the attack is stopped on the Flipper Zero, the device goes out of range, or the user turns Bluetooth off. 

The popups are random and annoyingly jump in front of whatever you’re doing. 

Adrian Kingsley-Hughes/ZDNET

Using a stock Flipper Zero, I can spam Android devices within a 20 to 30-foot range. If I switch to an external antenna, I can boost this range out to well over 50 feet.

READ MORE  Google Pixel 8 and Pixel 8 Pro Review: Software Wizardry

As for the Windows attack, this is a lot less annoying because it generates little notifications from the system tray. This attack also relies on a feature called Swift Pair to be enabled.

The Flipper Zero can also attack Windows devices.

Adrian Kingsley-Hughes/ZDNET

Now, while there’s no malicious payload as part of this attack, let’s not overlook the fact that it is a denial of service attack. While a device is being flooded with popups, it’s rather hard to make proper use of it. And although it’s not as bad as the iOS flood attack that actually locks up the iPhone or iPad, this is still annoying to those being targeted. 

Also: 7 cool and useful things to do with your Flipper Zero

Again, the only way to protect against this attack is to disable Bluetooth. Since there’s no risk — yet — of this locking up an Android device, I don’t think you need to disable Bluetooth preemptively. But if you do find popups appearing, you can then take action.

The fastest way to disable Bluetooth on an Android device is by using the Quick Settings drop-down menu, which you can access by swiping down from the menu bar twice and then tapping the Bluetooth button to turn it off.

Leave a Comment