Researchers at the Nightwatch Cybersecurity agency have found a new vulnerability in the Android OS.
According to their blog post, system broadcasts by Android OS expose information about the user’s device to all applications running on the device. This includes the WiFi network name, BSSID, local IP addresses, DNS server information & the MAC address. Some of this information (MAC address) is no longer available via APIs on Android 6 & higher, & extra permissions are normally required to access the rest of this information, said the team. But by listening to these broadcasts, any application on the device can capture this information thus bypassing any permission checks and existing mitigations, often for even legitimate purposes.
Because MAC addresses do not change & are tied to hardware, this can be used to uniquely identify & track any Android device even when MAC address randomization is used. The network name & BSSID can be used to geolocate users via a lookup against a database of BSSID such as WiGLE or SkyHook. Other networking information can be used by rogue apps to further explore & attack the local WiFi network.
All versions of Android running on all devices are believed to be affected including forks (such as Amazon’s FireOS for the Kindle). The vendor (Google) fixed these issues in Android P / 9 but does not plan to fix older versions. Users are encouraged to upgrade to Android P / 9 or later. CVE-2018-9489 has been assigned by the vendor to track this issue. Further research is also recommended to determine whether this is being exploited in the wild.
For a more detailed lowdown on this, click here.