WhisperPair APK is a cybersecurity research tool built to highlight a serious flaw—CVE-2025-36911—in Google’s Fast Pair system. This issue affects a large number of Bluetooth audio devices globally, allowing attackers to connect to them without permission and even access microphones without the user's knowledge.
What is WhisperPair APK?
WhisperPair APK isn’t a typical app—it's a set of exploit techniques that show how attackers could take control of widely used Bluetooth audio accessories that rely on Google Fast Pair. In certain situations, these attacks may also allow tracking of a device’s location through Google’s Find Hub network—all without any user interaction.
The vulnerability was uncovered by researchers from a university in Leuven, Belgium, who identified multiple weaknesses in audio devices using the Fast Pair protocol. Affected products come from major brands such as Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and even Google.
Google Fast Pair is designed to simplify Bluetooth connections by enabling quick pairing between accessories like earbuds or headphones and Android devices, while also syncing them across a user’s Google account. It relies on Bluetooth Low Energy (BLE) to detect nearby devices, which is why it’s widely adopted in premium audio products—expanding the risk to hundreds of millions of devices.
The core issue lies in Fast Pair not properly verifying whether a device is actually in pairing mode. Because of this, an attacker-controlled device—like a laptop—can initiate pairing even when the earbuds are already in use, such as being worn or stored in a pocket. Once connected, the attacker can gain full control of the accessory.
What an attacker can do next depends on the device’s features. This could include playing unwanted sounds or, more seriously, recording audio through built-in microphones.
The risk becomes even greater if the attacker connects to the device before the actual user does. In that case, the attacker can assign their own Google account as the owner. If the accessory supports Google’s Find Hub network, this could allow ongoing location tracking of the device.
Google has labelled this vulnerability as critical under CVE-2025-36911. However, fixing it depends on firmware or software updates released by the device manufacturers—not just updates to your smartphone. Users are strongly advised to check for updates from their specific audio device brand and install them as soon as they become available.
Key Features of Whisper Pair APK
- BLE Scanner – Identifies nearby Fast Pair-enabled devices in real time
- Vulnerability Tester – Safely verifies whether CVE-2025-36911 is patched or not
- Exploit Demonstration – Provides a proof-of-concept strictly for authorized testing
- HFP Audio Access – Illustrates how microphone access can be obtained after exploitation
- Live Listening – Streams audio directly to the connected device instantly
- Audio Recording – Allows captured audio to be saved for further analysis
- Device Status Detection – Detects and flags devices that are currently in pairing mode
- Key-Based Bypass – Demonstrates how Fast Pair authentication could be bypassed
- BR/EDR Extraction – Retrieves Bluetooth Classic (BR/EDR) device addresses
- Classic Bonding – Establishes persistent connections with audio devices
- Account Key Persistence – Showcases how devices could be tracked over an extended period
Hijacking Fast Pair Devices
Whisper Pair Github APK allows attackers to connect to vulnerable Fast Pair accessories like earbuds or headphones without user permission. This can happen within seconds and from a normal Bluetooth range. Once connected, attackers can control the device, play audio, or even access the microphone to listen to conversations. The issue exists because some devices fail to properly check whether they are in pairing mode before accepting connection requests.
Tracking via Find Hub
In some cases, attackers can also misuse Google’s Find Hub network. If the accessory has never been paired with an Android device, an attacker can link it to their own account and track its location. The victim may receive a tracking alert later, but it can appear as their own device, making it easy to ignore.
Screenshots:
Impact
This vulnerability affects multiple devices, brands, and chipsets, even after passing official testing and certification. It highlights a larger security gap, as attackers can gain access or track devices quickly without any user interaction.
Responsible Disclosure & Mitigation
The issue was reported to Google in August 2025 and labelled as a critical vulnerability (CVE-2025-36911). A 150-day disclosure period was followed to allow fixes, and the researchers received a $15,000 reward for reporting it.
The vulnerability can only be fixed through software updates provided by device manufacturers. While some devices have already received patches, others may still be unprotected, so users should check with the manufacturer for updates.
