Android OS API-Breaking Vulnerability Helps Hackers Steal Useful WiFi Data
Researchers have uncovered an “API-breaking” vulnerability, which could expose Android device systems data to rogue apps. The sensitive information thus exposed could be misused by cybercriminals.
Security researchers from Nightwatch Cybersecurity, in a detailed blog post on the vulnerability, have explained that system broadcasts from the Android OS may expose sensitive information about the user’s device to any app installed on the phone. This is done irrespective of whether the app needs this data to function. Hackers can misuse this information, even for physically locating the user of the Android device.
To understand the issue (CVE-2018-9489) in a better way, we need to understand how Android uses something called “intents” for inter-process communication. The Nightwatch Cybersecurity blog post explains, “In particular, Android provides the use of “Intents” as one of the ways for inter-process communication. A broadcast using an “Intent” allows an application or the OS to send a message system-wide which can be listened to by other applications. While functionality exists to restrict who is allowed to read such messages, application developers often neglect to implement these restrictions properly or mask sensitive data. This leads to a common vulnerability within Android applications where a malicious application running on the same device can spy on and capture messages being broadcast by other applications.”
The researchers have found that the Android OS, using two different intents, broadcasts information about the WiFi connection and the WiFi network interface on a regular basis. The information thus broadcast includes the MAC address of the device, the BSSID and network name of the WiFi access point, plus networking information like the local IP range, gateway IP and DNS server addresses. All this information is available to all the apps that are running on a device. Thus, it could be said that the Android developers are guilty of the oversight.
Cybercriminals, by getting Android users to download specially crafted malware into their devices, can uncover and misuse all this information, which otherwise is available only via the WifiManager, that too only with permissions. The Nightwatch blog says- “While applications can also access this information via the WifiManager, this normally requires the “ACCESS_WIFI_STATE” permission in the application manifest. Geolocation via WiFi normally requires the “ACCESS_FINE_LOCATION” or “ACCESS_COARSE_LOCATION” permissions. Also, on Android versions 6.0 and later, the real MAC address of the device is no longer available via APIs and will always return the address “02:00:00:00:00:00”. However, an application listening for system broadcasts does not need these permissions thus allowing this information to be captured without the knowledge of the user and the real MAC address being captured even on Android 6 or higher.”
Anyone who gets this information can misuse it, to explore and attack the local WiFi network, and it can also be used to identify and track an Android device.
Google had fixed the issue earlier this month, after being informed in March itself. However, there are no plans to fix older versions of Android, hence users need to upgrade at the earliest.