Re: Who would not do this?
"Surely nobody leaves their Bluetooth open like that?"
You might not know this but Android apps that have the BLUETOOTH_ADMIN permission in their manifest will allow an app to pair with other devices using bluetooth and apps with the BLUETOOTH_PRIVILEGED permission in the apps manifest: "Allows applications to pair bluetooth devices without user interaction, and to allow or disallow phonebook access or message access."
I do know that apps that contain Facebook's SDK's use bluetooth to discover a users location to serve targeted ads and that apps that contain the BLUETOOTH_ADMIN permission in their manifest was a very good indication that the app had Facebook's SDK's inside.
Also, correct me if I'm wrong, but I believe the BLUETOOTH_PRIVILEGED permission is a newer more fine-grained permission and that older Android versions allowed an app to pair bluetooth without user interaction with just the BLUETOOTH_ADMIN permission.