Now Android and Windows devices aren't safe from Flipper Zero either

The Bluetooth spam feature that was initially used to inundate, and even crash, iPhones has now been expanded to cover Android and Windows devices.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor
The Flipper Zero

The Flipper Zero can now carry out a denial of service attacks on Android devices.

Adrian Kingsley-Hughes/ZDNET

A few days ago, a custom third-party firmware for the Flipper Zero was released. The firmware could flood iPhones and iPads with spam Bluetooth messages, and it even had a feature that could cause the device to lock up completely. This left a few Android users feeling smug about the security of their chosen platform over that of iOS and iPadOS.

Well, now the Bluetooth spam application for the Flipper Zero can target Android devices and PCs running Windows.

Also: Flipper Zero can be used to crash iPhones running iOS 17, but there's a way to foil the attack

Now, again, this trick isn't possible with a stock Flipper Zero. Instead, you need to load a developer build of Xtreme third-party firmware onto the Flipper Zero. After the firmware has been installed, it's a case of launching an app called BLE Spam and choosing the appropriate attack.

To flood Android devices with popups, the attack to choose is Android Device Pair. 

Press the Start button and popups begin to flood Android devices within range of the Flipper Zero.

The Flipper Zero next to phone

Flooding an Android smartphone with popups using BLE Spam on the Flipper Zero.

Adrian Kingsley-Hughes/ZDNET

And the popups continue until the attack is stopped on the Flipper Zero, the device goes out of range, or the user turns Bluetooth off. 

The Flipper Zero next to phone

The popups are random and annoyingly jump in front of whatever you're doing. 

Adrian Kingsley-Hughes/ZDNET

Using a stock Flipper Zero, I can spam Android devices within a 20 to 30-foot range. If I switch to an external antenna, I can boost this range out to well over 50 feet.

As for the Windows attack, this is a lot less annoying because it generates little notifications from the system tray. This attack also relies on a feature called Swift Pair to be enabled.

The Flipper Zero

The Flipper Zero can also attack Windows devices.

Adrian Kingsley-Hughes/ZDNET

Now, while there's no malicious payload as part of this attack, let's not overlook the fact that it is a denial of service attack. While a device is being flooded with popups, it's rather hard to make proper use of it. And although it's not as bad as the iOS flood attack that actually locks up the iPhone or iPad, this is still annoying to those being targeted. 

Also: 7 cool and useful things to do with your Flipper Zero

Again, the only way to protect against this attack is to disable Bluetooth. Since there's no risk -- yet -- of this locking up an Android device, I don't think you need to disable Bluetooth preemptively. But if you do find popups appearing, you can then take action.

The fastest way to disable Bluetooth on an Android device is by using the Quick Settings drop-down menu, which you can access by swiping down from the menu bar twice and then tapping the Bluetooth button to turn it off.

Editorial standards