Samsung Fast Pair: How It Works and Why It's Vulnerable to Spam
The Same Popup Problem, Android Edition
BLE popup spam isn't just an iOS problem. Android has its own proximity pairing system - Google Fast Pair, adopted and extended by Samsung - that triggers popup prompts when compatible devices are nearby. The mechanism is almost identical: a BLE advertisement with a specific manufacturer or service data payload, parsed by the OS, rendered as UI without any user initiation.
This article covers how Google Fast Pair and Samsung's extension work at the protocol level, what the advertisement payload looks like, why rate limiting is weak, and how BLEShark Nano's Android BLESpam mode interacts with it.
Google Fast Pair: The Foundation
sequenceDiagram
participant DEV as BLE Device
(Galaxy Buds)
participant PHONE as Android Phone
participant GCLOUD as Google Cloud
(Device DB)
participant GACCT as Google Account
rect rgb(30, 30, 40)
Note over DEV,GCLOUD: Discovery Phase
DEV->>DEV: Enter pairing mode
DEV->>PHONE: BLE advertisement
(Service UUID: 0xFE2C
+ 3-byte model ID)
PHONE->>PHONE: Detect Fast Pair service
PHONE->>GCLOUD: Query model ID
GCLOUD-->>PHONE: Device name, image,
companion app info
PHONE-->>PHONE: Display half-sheet popup
"Your Galaxy Buds are nearby"
end
rect rgb(30, 40, 30)
Note over DEV,GACCT: Pairing Phase
PHONE->>DEV: GATT connection
PHONE->>DEV: Key-based pairing request
(encrypted with anti-spoofing key)
DEV-->>PHONE: Pairing response
Note over DEV,PHONE: BLE bonding completes
PHONE->>GACCT: Save device to account
(enables cross-device sync)
end
Note over DEV,GACCT: Device now auto-pairs
with all user's Android devices
Google Fast Pair full protocol flow - from BLE advertisement discovery through cloud-assisted identification to account-level device registration
Google Fast Pair was introduced in 2017 as a way to make pairing Bluetooth accessories to Android devices as frictionless as the iOS AirPods experience. The spec is public - Google publishes it as part of the Android partner documentation - which makes it easier to analyze than Apple's proprietary Continuity Protocol.
The core mechanism works like this: a compatible accessory (headphones, speakers, etc.) advertises a 3-byte model ID using Bluetooth's 16-bit Service UUID 0xFE2C (Google Fast Pair Service). Android's Fast Pair service runs in the background, scanning for this UUID. When it sees one, it looks up the model ID against Google's Fast Pair device registry to retrieve device metadata - name, icon, pairing instructions. Then it renders a popup asking the user to pair.
The lookup step is the key architectural decision. The advertisement itself only contains a model ID. The actual device name, image, and UI content come from Google's backend. This means the advertisement payload is small and simple - but it also means Android needs network connectivity to fully resolve the popup content.
Fast Pair Advertisement Structure
The Fast Pair advertisement uses a Service Data AD structure with UUID 0xFE2C:
AD Type: 0x16 (Service Data - 16-bit UUID)
UUID: 0xFE 0x2C (Fast Pair Service, little-endian)
Model ID: 0x?? 0x?? 0x?? (3 bytes identifying the device model)
That's it. Three bytes of model ID, wrapped in a Service Data record. The simplicity is by design - it keeps advertisement payload small and fast to parse.
Google maintains a registry of Fast Pair model IDs. Registered devices include headphones from Sony, Jabra, Bose, JBL, and most major Android-adjacent audio brands. When Android sees an unrecognized model ID, it may still show a generic popup or silently ignore it depending on Android version and settings.
Because the model ID is the only identifying content in the advertisement, and because any BLE transmitter can broadcast any service data payload, there's no way for Android to verify that the advertiser is actually the device it claims to be - at least not before showing the popup.
Samsung's Extension: Galaxy Buds and Seamless Setup
Samsung built on top of Google Fast Pair for its Galaxy ecosystem. Samsung devices advertise using both the standard Fast Pair UUID (0xFE2C) and Samsung-specific manufacturer data (company ID 0x0075 - Samsung Electronics).
For Galaxy Buds specifically, the advertisement includes an extended Samsung payload that carries device state: which buds are in the case, battery levels, and wear detection status. The overall structure is layered - the base Fast Pair popup comes from the Google service, while Samsung's Galaxy Wearable app renders a richer Samsung-specific popup for Galaxy hardware on Samsung phones.
This means a Galaxy phone near Galaxy Buds can show a full rich popup with battery percentages and a "Connect" button - similar to what iOS shows for AirPods. Non-Samsung Android phones near the same Galaxy Buds see only the standard Fast Pair prompt.
The Spam Vector
The Fast Pair popup triggers on advertisement receipt plus optional registry lookup. There are a few factors that make this easy to spam:
No pairing state check. Android doesn't verify whether the advertising device has previously been paired or seen before before showing the popup. A fresh model ID from an unknown device will trigger the prompt.
No per-device cooldown. Unlike iOS 17.2+, Android's Fast Pair service historically had minimal rate limiting per advertiser MAC. Multiple popups from the same MAC in rapid succession could stack on some Android versions.
MAC rotation bypasses what limits do exist. If Android does implement a cooldown by advertiser MAC, a device that changes its MAC address per advertisement cycle can continuously appear as a new device. BLE allows random address types for exactly this reason (privacy), so there's nothing technically wrong with MAC rotation - it just happens to sidestep popup suppression.
Registry lookup can fail gracefully. On some Android versions and configurations, a failed registry lookup (unknown model ID, no network, etc.) still results in a generic "New device nearby" popup rather than silent suppression.
Android Version Behavior
Google has adjusted Fast Pair behavior across Android versions, though not as aggressively as Apple has addressed the iOS side:
Android 6-9: Fast Pair v1 behavior - popup triggers, limited rate limiting, model IDs not strictly validated against registry before showing UI.
Android 10-11: Fast Pair v2 introduced cryptographic verification for the actual pairing flow, but the initial advertisement-triggered popup was not cryptographically gated. Popup behavior largely unchanged.
Android 12-13: Google added some improvements to popup frequency. The "Bluetooth device nearby" style notifications became less intrusive in some configurations. Rate limiting improved slightly.
Android 14+: Google has continued tightening Fast Pair notification behavior. The most aggressive popup types are now harder to trigger on stock Android 14. Samsung's One UI layer has its own behavior which may differ.
The Samsung Galaxy Wearable app, which handles rich Samsung-specific popups, applies its own logic separate from the base Android Fast Pair service. This means Samsung phones may behave differently than stock Android Pixel devices when receiving the same advertisement.
Fast Pair vs Samsung Popup: What's the Difference in Practice
When testing BLESpam Android modes, you'll see two distinct popup types:
Google Fast Pair popup: A small bottom sheet that says something like "[Device Name] - Tap to pair" with a device image. This is rendered by Android's system Fast Pair service. It appears on all Android phones with Google Play Services active, not just Samsung devices.
Samsung popup: A richer sheet that may include battery information, device artwork, and Samsung branding. This requires a Samsung phone with the Galaxy ecosystem apps installed. It triggers from the Samsung-specific manufacturer data in the advertisement in addition to (or instead of) the standard Fast Pair payload.
For BLESpam, you can target one or both. Broadcasting only the Fast Pair UUID payload (0xFE2C + model ID) affects all Android devices. Adding Samsung manufacturer data targets Samsung phones specifically with the richer popup.
BLEShark Nano: Android BLESpam
graph TD
subgraph "BLEShark Nano Android BLESpam"
SELECT["User selects
BLESpam mode"]
MODE["Choose target:
Samsung / Google
Fast Pair"]
subgraph "Packet Generation"
FE2C["Service UUID: 0xFE2C
(Fast Pair)"]
MODEL["Cycle model IDs:
Galaxy Buds Pro
Pixel Buds
Sony WF-1000XM5
..."]
TX_PWR["Set TX power
(controls popup range)"]
end
subgraph "Target Phone Behavior"
RECV["Phone receives
advertisement"]
CLOUD_Q["Queries Google Cloud
for model info"]
POPUP["Half-sheet popup
appears with device image"]
DISMISS["User dismisses"]
NEXT["Next popup appears
(different device)"]
end
end
SELECT --> MODE --> FE2C
FE2C --> MODEL --> TX_PWR
TX_PWR -->|"Every ~100ms"| RECV
RECV --> CLOUD_Q --> POPUP --> DISMISS --> NEXT
NEXT -->|"Continuous cycle"| POPUP
subgraph "Android Defenses"
A13["Android 13+
Rate limiting added"]
A14["Android 14+
Fast Pair can be
fully disabled"]
LEGACY["Android 12 and below
No mitigation"]
end
BLEShark Nano Android BLESpam workflow - spoofed Fast Pair advertisements trigger cascading device popups on nearby Android phones
The BLEShark Nano's BLESpam mode includes an Android mode that cycles through known Fast Pair model IDs and Samsung advertisement payloads. Each advertisement uses a different model ID and rotated MAC address to maximize popup visibility on nearby Android devices.
The BLEShark broadcasts these as standard BLE ADV_IND frames - there's nothing exotic happening at the radio layer. The ESP32-C3's BLE 5.0 stack handles the timing and channel hopping across the three BLE advertising channels (37, 38, 39) automatically.
In a security assessment context, demonstrating Fast Pair popup spam to a client makes the proximity attack surface tangible. The popup looks completely legitimate - it shows real device names (pulled from Google's registry if connected) and real device artwork. A distracted user in a busy environment could tap "Connect" on a spoofed popup, initiating a pairing request with whoever is broadcasting.
What happens after that tap is limited - Fast Pair still requires completing the actual Bluetooth pairing flow, which involves the OS managing the connection. But the popup itself is convincing enough to be a valid social engineering demonstration.
For distributed testing, Shiver mesh lets you deploy multiple BLEShark Nanos across a space (up to 16 nodes, 20-50m range via ESP-NOW). Each node runs BLE independently, so you can cover a larger area than a single device allows. The mesh coordination overhead is minimal during BLESpam because each node is primarily broadcasting rather than receiving.
Disabling Fast Pair on Android
Users who want to eliminate the Fast Pair popup attack surface have a few options:
Disable Fast Pair notifications: In Android Settings, go to Google > Devices & Sharing > Scan for nearby devices (or similar path depending on Android version) and toggle off "Scan for nearby devices." This disables the background BLE scanning that feeds Fast Pair.
Turn off Bluetooth when not in use: No BLE scanning happens when Bluetooth is off. For high-security environments, this is the cleanest mitigation.
Disable Samsung's Seamless Setup: On Samsung phones, Galaxy Wearable app has its own scanning behavior. Disabling "Auto connect to nearby devices" in the app reduces Samsung-specific popup frequency.
None of these are practical as persistent enterprise policies for most users - Bluetooth is too useful to leave disabled by default. But for security awareness demonstrations, showing staff the popup behavior and explaining what it is goes a long way.
What Makes This Different From Apple's Approach
graph LR
subgraph "Apple Nearby Actions"
A_PROTO["Proprietary
Continuity Protocol"]
A_ID["Company ID: 0x004C"]
A_TYPE["Type bytes:
0x0F Nearby Action
0x07 Proximity Pair"]
A_AUTH["No authentication
on advertisements"]
A_POPUP["iOS popup
(no cloud lookup)"]
A_DEF["iOS 17.2+
rate limiting"]
end
subgraph "Google Fast Pair"
G_PROTO["Google Fast Pair
(semi-open standard)"]
G_ID["Service UUID: 0xFE2C"]
G_TYPE["3-byte model ID
in service data"]
G_AUTH["Anti-spoofing key
(only at pairing)"]
G_POPUP["Android popup
(cloud image lookup)"]
G_DEF["Android 14+
disable option"]
end
subgraph "Common Vulnerability"
VULN["Unauthenticated BLE
advertisements trigger
UI actions on nearby
devices"]
BLESHARK["BLEShark Nano
spoofs both protocols"]
end
A_AUTH --> VULN
G_AUTH --> VULN
VULN --> BLESHARK
Apple Nearby Actions vs Google Fast Pair - both protocols share the same fundamental vulnerability: unauthenticated BLE advertisements triggering UI popups
The key architectural difference between Google Fast Pair and Apple's Continuity Protocol is openness. Google publishes the Fast Pair spec and runs an open registry that partners can submit devices to. Apple keeps Continuity proprietary, which means the attack surface had to be reverse-engineered before it was well understood.
Ironically, the open spec makes the attack easier to implement precisely because the payload format is documented. But it also means Google can update the protocol transparently - and has, in Android 12+. Apple's changes have been opaque, appearing in firmware updates without detailed changelogs about what specifically changed in Continuity popup behavior.
For security researchers, both platforms have the same fundamental problem: the OS renders proximity UI based on unauthenticated BLE advertisements because authentication at that layer would break the zero-friction user experience the feature is designed to deliver.
The Protocol Takeaway
Fast Pair is a well-designed convenience feature with a straightforward protocol. The spam vulnerability isn't a bug in the spec - it's a consequence of the design goal. Getting from "device nearby" to "popup on screen" without any user action requires trusting the advertisement at face value.
Understanding the payload structure - UUID 0xFE2C, 3-byte model ID, optional Samsung manufacturer data - gives you everything you need to test this in a controlled environment, document the exposure for a client, and explain specifically what an attacker could and couldn't do with it.
The BLEShark Nano puts that testing capability in a $36.99 device that fits in a pocket.
Get BLEShark Nano - $36.99+