Unpatched Android OS Flaw Allows Adversaries to Track User Location

The vulnerability is one of many with the same root cause: Cross-process information leakage.

A flaw in the Android mobile operating system could allow an attacker with physical proximity to a WiFi router to track the location of users within the router’s range.

The issue (CVE-2018-9581) allows information leakage stemming from inter-process communication. While applications on Android are usually segregated by the OS from each other and from the OS itself, there are still mechanisms for sharing information between them when needed. One of those mechanisms is the use of what Android calls “intents.”

An application or the OS itself can send an “intent” message out, which is broadcast system-wide and can be listened to by other applications. Without proper access restrictions and permissions put in place around these intents, it’s possible for malicious applications to intercept information that it shouldn’t have access to.

“While functionality exists to restrict who is allowed to read such messages, application [and OS] developers often neglect to implement these restrictions properly or mask sensitive data,” explained researchers from Nightwatch Cybersecurity System, in a post published on Sunday. “This leads to a common vulnerability within Android applications where a malicious application running on the same device can spy on and capture messages being broadcast by other applications.”

In the case of CVE-2018-9581, the Android OS itself is guilty of the oversight, according to Nightwatch. It found that the Android OS broadcasts information about the WiFi connection on a regular basis, using two different intents.

“The WiFi strength value (RSSI) [is broadcast] system-wide on a regular basis,” the team explained. “No special permission is needed to access this information. The RSSI values represent the relative strength of the signal being received by the device (higher = stronger) but are not directly correlated to the actual physical signal strength (dBm).”

Assuming that a phone that’s nearer to a WiFi router would receive a stronger signal, it thus becomes possible to infer a user’s location within a home or office. While on the surface this seems of little concern, given that it is perhaps easier for someone to trace a person’s local movements through visual observation, exploitation of this moderate-rated flaw could be useful for those intending physical harm or plotting a burglary, for example. There’s also a surveillance aspect – an unethical employer could keep logs on where their employees spend their time – to learn if they’re mostly away from their desks, for example, or if they spend too much time in the breakroom.

All versions of Android are believed to be affected (although on Android 9 one of the two broadcast types is no longer revealing sensitive data, as part of the fix for a related bug, CVE-2018-9489). The researchers said they weren’t sure if the flaw has been exploited in the wild. Google has acknowledged the issue, although the patch has not yet been released.

Cross-process information leakage is not new for Android. In fact, this bug is part of a series of three related Android bugs with the same root cause (improperly implemented intent messages). The group also includes CVE-2018-9489 and CVE-2018-15835.

CVE-2018-9489, now patched as mentioned, allows adversaries to explore and attack the local WiFi network, or identify and physically track any Android device, by exposing a range of WiFi information.

“This information includes the MAC address of the device, the BSSID and network name of the WiFi access point, and various networking information such as the local IP range, gateway IP and DNS server addresses,” the researchers said. “This information is available to all applications running on the user’s device.”

Armed with the information, adversaries can cause various types of damage, including using the networking information to further explore and attack the local WiFi network. Also, because MAC addresses are hard-coded, they can be used to uniquely identify and track any Android device, even when MAC address randomization is used.

As for CVE-2018-15835, the intent messages from the Android OS expose detailed information about the battery, which can be used to uniquely identify and track users across applications, with no special permissions. Android versions 5.0 and later are affected by this, but Google said that it doesn’t classify this bug as a security issue and has not released any fix plans.

All of these flaws are also reminiscent of the man-in-the-disk problem discussed at DEF CON 2018, which also concerns cross-application information leakage. Android’s OS makes use of two types of storage – internal storage which provides every app with its own sandbox; and an external storage mechanism that uses a removable SD card. This latter storage is shared across the OS, because it’s designed to enable apps to transfer data from one app to another. It means that any data written to it could potentially be snooped out (and the data changed) by another app on the device.

Fortnite for Android for instance was shown to expose user data via the mechanism.

Suggested articles