Researchers from Nightwatch Cybersecurity have discovered an Android API vulnerability (CVE-2018-9489) in the Google Android OS which exposes sensitive information about the user’s device to any app that’s installed on the phone — regardless of whether the app requires that data to function. The sensitive information passes via a system broadcast and includes the WiFi network name, WiFi network BSSID, local IP addresses, the device’s MAC address and DNS server information.
This information can be used for any number of malicious attacks and can physically locate the user, track their online activities and target them with ad campaigns.
Android API Vulnerability and Exploit Method
The Android OS itself sends an intent message out, which is broadcast system-wide and is available to all applications running on the user’s device. The broadcast information about the WiFi connection and the WiFi network interface uses two intents: NETWORK_STATE_CHANGED_ACTION and WiFiP2pManager WIFI_P2P_THIS_DEVICE_CHANGED_ACTION. Any app installed on the device can set up the listening ports for the two intents and capture the WiFi-related information even if the application doesn’t have permission to access the phone’s WiFi feature (which is usually granted by the user).
The Android API vulnerability is in part due to the application developers neglecting to implement restrictions to properly protect sensitive data. This neglect has led to a common vulnerability within Android applications where a malicious apps running on the same device can spy on and capture messages being broadcast by other applications.
The researchers who discovered the vulnerability also published a POC sample code to replicate the exploit.
Who’s Affected by the Android API Vulnerability?
All Android versions before 9.0 are affected by the Android API vulnerability, including Android OS forks such as Amazon’s FireOS for Kindle.
Millions of users are potentially at risk due. Any user running an Android OS before 9.0 that installs a malicious app could fall victim to any number of malicious attacks — upgrade to version 9.0 as soon as possible.
Google’s Statement and Fix
The Android API vulnerability didn’t receive a fix in Google Android’s September patch release. Google has fixed the security flaw in the latest version of the Android operating system, Android P (aka Android 9 Pie). However, the tech giant will not fix prior versions of Android as resolving the vulnerability “would be a breaking API change.”
Cryptominers Surpass Ransomware as Most Widespread Cybercrime Malware: And Google tops the list as most vulnerable vendor, outranking the combined total of the next five runners up. These and other findings in the mid-year update to the 2018 Vulnerability and Threat Trends Report.
Oracle WebLogic Vulnerability Used for Cryptomining and Other Attacks: The luoxk group have leveraged the vulnerability to carry out various activities, including a malicious Android Package file.