Cybersecurity researchers have discovered a vulnerability in the Android operating system that makes it easy to be able to track and locate Android devices, including forked version like the FireOS.
The vulnerability isn't the bad news, the bad news is that Hundreds of millions of Android will be exposed to this vulnerability because Google won't be making any patch available for any Android version other than Android 9 Pie.
According to the report from Nightwatch Cybersecurity, the vulnerability (CVE-2018-9489) can be exploited to "uniquely identify and track any Android device" and also to "geolocate users."
The vulnerability makes it possible for apps to bypass permission and gain access to information that is contained in system broadcasts.
An excerpt from Nighwatch Cybersecurity read:
"System broadcasts by Android OS expose information about the user's device to all application running on the device. This includes the WiFi network name, BSSID. local IP addresses, DNS server information and the MAC address. Some of this information (MAC address) is no longer available via APIs on Android 6 and higher, and extra permissions are normally required to access the rest of this information. However, by listening to these broadcasts, any application on the device can capture this information thus bypassing any permission checks and existing mitigations.
"Because MAC addresses do not change and are tied to hardware, this can used to uniquely identify and track any Android device even when MAC address randomization is used. The network name and BSSID can be used to geolocate users via a lookup against a database of BSSID such as WiGLE or SkyHook. other networking information can be used by rogue apps to further explore and attack the local WiFi network."
Also Read: How To Control Your PC or Mac Using iPhone or Android Smartphone
Spotted back in March, the vulnerability was reported to Google who addressed the issue in Android 9 Pie, however, Google has no plans to patch the vulnerability in earlier versions of Android OS which is a cause for concern.
The vulnerability has been fixed on Android 9 Pie which is good, but as you all know, hundreds of millions of Android device will never make it to Android 9 Pie, which means they will be exposed to this vulnerability.
Well, now that this vulnerability has been made public, the risk of cyber criminals taking advantage of this has heavily increased.