https://www.cnbc.com/2017/09/12/new-bluetooth-vulnerability-can-be-exploited-to-silently-hack-android-phones.html

This morning, Armis security published details of a new Bluetooth vulnerability that could potentially expose millions of devices to remote attack. Dubbed Blueborne, the attack works by masquerading as a Bluetooth device and exploiting weaknesses in the protocol to deploy malicious code, similar to the Broadcom Wi-Fi attack disclosed earlier this year. Because Bluetooth devices have high privileges in most operating systems, the attack can be executed without any input from the user. Blueborne doesn't require devices to be paired with the malicious device, or even be set in discoverable mode.

Any iPhones running iOS 10 are immune to the attack, and Microsoft deployed a patch to fix the bug in July. That leaves Android devices as the most vulnerable, thanks in part to longstanding issues deploying patches through partners. Google told Motherboard that it has sent a fix to device manufacturers, although it's unclear when that patch will actually reach phones. In the meantime, Armis was able to demonstrate the attack on an unpatched Pixel, running malicious software remotely without user permission.