This article originally appeared on ZDNet.
A vulnerability has been discovered in the Google Android operating system which could allow cyberattackers to covertly capture Wi-Fi broadcast data in order to track users.
Nightwatch Cybersecurity researcher Yakov Shafranovich said that Android devices broadcast information about the user’s device to applications running on the system. This information can include Wi-Fi network names, BSSID, local IP addresses, DNS server data and MAC addresses — although the latter has been hidden via APIs in Android version 6 and higher.
SEE: Incident response policy (Tech Pro Research)
By listening in to these data streams, apps can capture the information, often for legitimate purposes.
However, when rogue apps eavesdrop, this can lead to sensitive information disclosure and attackers may be able to attack local Wi-Fi networks or use MAC addresses to track unique Android devices.
It is also possible to geotrack users through the network name and BSSID by using database lookups.
“While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data,” the researcher says. “This leads to a common vulnerability within Android applications where a malicious application running on the same device can spy on and capture messages being broadcast by other applications.”
Android uses “intents” for inter-process information alongside a number of permissions as safeguards against eavesdropping or data leaks.
The OS utilizes two intents in order to broadcast information system-wide. The intents are WifiManager’s “Network state changed action” and WifiP2pManager’s “Wi-Fi P2P this device changed action.”
Applications can tap into this information on the user device and when accessed through WifiManager, the “Access Wifi state” permission is usually required. Access to geolocation data normally requires either the “access fine location” or “access coarse location” permissions.
SEE: Network security policy template (Tech Pro Research)
However, when an application is simply listening for system broadcasts, the permissions required are circumvented, which could allow rogue and malicious apps to capture this data without the knowledge of the user.
“Because MAC addresses do not change and are tied to hardware, this can be used to uniquely identify and track any Android device even when MAC address randomization is used,” Shafranovich said. “The network name and/or BSSID can be used to geolocate users via a lookup against a database like WiGLE or SkyHook.”
The team tested a variety of Android devices, all of which demonstrated the same behavior. However, in some cases, the real MAC address was not displayed in the “Network state changed action,” intent, but was available through the “Wi-Fi P2P this device changed action,” intent.
All versions of Android, including OS forks — such as Amazon’s Kindle FireOS — are believed to be affected, potentially impacting millions of users.
The cybersecurity firm initially reported its findings to Google in March. Following an investigation which took several months, a CVE number was assigned to the vulnerability and Google developed a fix in July.
The patch was confirmed in early August, leading to the public disclosure of the vulnerability.
Google has fixed the security flaw in the latest version of the Android operating system, Android P, also known as Android 9 Pie.
However, the tech giant will not fix prior versions of Android as resolving the vulnerability “would be a breaking API change,” according to the cybersecurity firm.
Earlier this month, Google announced the launch of Android 9 Pie, which is already rolling out to Android users on some devices.
Android devices manufactured by vendors including Nokia, Xiaomi, and Sony will receive the updated OS by the end of fall. The update includes new gesture navigation, themes, and adaptive settings for screen brightness and battery life, among others.
Users able to upgrade to Android 9 are encouraged to do so.
ZDNet has reached out to Google with additional queries and will update if we hear back.