An “API-breaking” vulnerability has been uncovered that potentially exposes Android device systems data to rogue apps — information that could be very useful to bad actors.
Researchers from Nightwatch Cybersecurity System said that certain all-points-bulletins sent out by the Android OS expose sensitive information about the user’s device to any app that’s installed on the phone, regardless of whether the app requires the data to function. It’s information that can be used for any number of nefarious attacks, including physically locating the user.
The issue (CVE-2018-9489) lies in the fact that Android uses something called “intents” to achieve inter-process communication: An application or the OS itself can send an intent message out, which is broadcast system-wide and can be listened to by other applications.
“While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data,” explained the researchers in a post published on Wednesday. “This leads to a common vulnerability within Android applications where a malicious application running on the same device can spy on and capture messages being broadcast by other applications.”
The OS developers also are guilty of the oversight, according to Nightwatch, which found that the Android OS itself broadcasts information about the WiFi connection and the WiFi network interface on a regular basis, using two different intents.
“This information includes the MAC address of the device, the BSSID and network name of the WiFi access point, and various networking information such as the local IP range, gateway IP and DNS server addresses,” the researchers said. “This information is available to all applications running on the user’s device.”
This means that bad actors who have socially engineered Android users into downloading specially crafted malware can uncover the information, which is otherwise only available via the WifiManager. The WifiManager is protected by requirements for extra permissions (plus, the MAC address isn’t even available in the function on Android version 6 and higher) – making it a much tougher conduit to hack.
“An application listening for system broadcasts does not need these permissions, thus allowing this information to be captured without the knowledge of the user and the real MAC address being captured even on Android 6 or higher,” the researchers said.
Armed with the information, adversaries can cause various types of damage, including using the networking information to further explore and attack the local WiFi network. Also, because MAC addresses are hard-coded, they can be used to uniquely identify and track any Android device, even when MAC address randomization is used.
“The network name and BSSID can be used to geolocate users via a lookup against a database of BSSID, such as WiGLE or SkyHook,” the researchers said.
After being informed of the problem in March, Google fixed the issue earlier this month in Android P (Android 9). However, it said that it doesn’t plan to fix older versions of the OS, so users should upgrade as soon as possible.
The flaw is somewhat similar to the recently uncovered man-in-the-disk problem, discussed at DEF CON 2018, which also concerns cross-application information leakage. Android’s OS makes use of two types of storage – internal storage which provides every app with its own sandbox; and an external storage mechanism that uses a removable SD card. This latter storage is shared across the OS, because it’s designed to enable apps to transfer data from one app to another. It means that any data written to it could potentially be snooped out (and the data changed) by another app on the device.
Recently, Fortnite for Android was shown to expose user data via the mechanism.