Android operating system is flexible and powerful. It can do a lot of things and is very customizable. But apparently, the OS is often the subject to vulnerabilities.
As found by Nightwatch Cybersecurity, all Android versions have a flaw that allows apps to ignore permissions to gain access to information that is found in system broadcasts. This includes the name of the Wi-Fi network being used, BSSID, the MAC address of the device, DNS server information and local IP addresses.
With this means, malicious apps could locate and track any Android device, down to the precise street address. In addition to that, hackers can attack the Wi-Fi network being used if not properly secured, and attack other devices connected to it.
The problem is the result of people in the Android supply chain wanting to be able to add their own applications, customizing them. From Google that owns Android, to vendors and carriers, they want to add their own code. That increases the attack surface, and increases the probability of software error.
they are inadvertently exposing end users to exploits that the end user is not able to respond to.
With great customization ability and flexibility, comes great consequences.
According to Nightwatch Cybersecurity:
NETWORK_STATE_CHANGED_ACTION intent but they still do within the WIFI_P2P_THIS_DEVICE_CHANGED_ACTION intent. We also tested at least one fork (Amazon’s FireOS for the Kindle) and those devices displayed the same behavior.""Because MAC addresses do not change and are tied to hardware, this can be used to uniquely identify and track any Android device even when MAC address randomization is used. The network name and/or BSSID can be used to geolocate users via a lookup against a database like WiGLE or SkyHook. Other networking information can be used by rogue apps to further explore and attack the local WiFi network."
There is some good news and bad news about this vulnerability.
The good news is that Google apparently fixed the flaw with Android 9.0 Pie. The bad news is that less than 0.1 percent of Android users are running Android Pie as the vulnerability was discovered.
Not even forked versions of Android are safe. Amazon devices with Fire OS also share the vulnerability, for example.
What's worse, Google has no plans on fixing this flaw on older versions of the OS, because "this would be a breaking API change."
The security hole is detailed in CVE-2018-9489. Users are encouraged to upgrade to Android Pie / 9 or later," said Nightwatch Cybersecurity.