14 DAY TRIAL // A security flaw in Android allows malicious apps to bypass permission checks and thus obtain access to read more information they were supposed to, including details that could allow malware to track device location.
Discovered by Nightwatch Cybersecurity, the vulnerability affects all versions of Android except for the recently-released Pie. The security hole is detailed in CVE-2018-9489 and is unlikely to get any fix, according to the advisory.
“The vendor fixed these issues in Android P / 9. Because this would be a breaking API change, the vendor does not plan to fix prior versions of Android. Users are encouraged to upgrade to Android P / 9 or later,” Nightwatch Cybersecurity notes.
As to how the vulnerability can be exploited, the research indicates that malicious apps can listen to system broadcasts in order to bypass permission checks and get access to specific device information.
Flaw fixed in Android Pie
It can read anything from Wi-Fi network name, local IP addresses, DNS server information, and the MAC address, with security researchers warning that this opens the door for more malicious activities, including geolocating a specific target.
“Because MAC addresses do not change and are tied to hardware, this can be used to uniquely identify and track any Android device even when MAC address randomization is used. The network name and/or BSSID can be used to geolocate users via a lookup against a database like WiGLE or SkyHook. Other networking information can be used by rogue apps to further explore and attack the local WiFi network,” the advisory adds.
The security flaw was first reported to Google in March this year, and apparently, the search giant developed a fix but only for its most recent Android version.
Needless to say, the easiest way to stay protected is to update your devices to Android Pie, though in practice this is a lot harder than it sounds. Most Android OEMs are only now laying out plans for the release of Android Pie to their devices, so it could take up to several months until the rollout actually begins.