A critical vulnerability in the Android operating system that allows malicious entities to locate and track Android devices won’t be patched by Google in devices that run any version of Android older than the latest Android Pie (9).
In May last year, security research firm Check Point discovered that a security feature in Android OS that allowed users to grant permissions to apps during runtime to prevent such apps from gaining dangerous permissions automatically was removed by Google with Android 6.0.1 Marshmallow update.
“This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices,” noted Check Point researchers.
The firm was told by Google that the software giant would bring in a fix for the said vulnerability with Android O, the successor to Android 7.0 Nougat. The new fix, called TYPE_APPLICATION_OVERLAY, would block windows from being positioned above any critical system windows, allowing users to access settings and block an app from displaying alert windows.
What this meant was that users of Android devices that ran older versions of the operating system were vulnerable to malicious apps that exploited the absence of the SYSTEM_ALERT_WINDOW feature to obtain device permissions automatically and thereby install malware or spyware.
Critical flaw patched only for Android Pie
According to a report from security firm Nightwatch Cybersecurity, Google is playing the same trick again. According to the firm, system broadcasts by Android OS expose device information to all installed apps. Such information includes the WiFi network name, BSSID, local IP addresses, DNS server information and the MAC address.
Even though apps can no longer obtain MAC addresses of Android devices that run Android 6 or higher, they can still do so by listening to system broadcasts and bypassing any permission checks and existing mitigations.
“Because MAC addresses do not change and are tied to hardware, this can be used to uniquely identify and track any Android device even when MAC address randomization is used. The network name and BSSID can be used to geolocate users via a lookup against a database of BSSID such as WiGLE or SkyHook. Other networking information can be used by rogue apps to further explore and attack the local WiFi network,” the firm said.
Nightwatch Cybersecurity noted that even though all versions of Android running on all devices were rendered vulnerable by the said flaw, Google decided to introduce a patch only for devices running the latest Android Pie OS. “Because this would be a breaking API change, the vendor does not plan to fix prior versions of Android. Users are encouraged to upgrade to Android P / 9 or later,” it said.
Considering that many OEM device manufacturers do not pass on many operating system updates to their devices that run the open-source Android and are not obligated to do so, what this means is that millions of Android devices that do not run Android Pie or cannot be upgraded to Android Pie are now vulnerable to external access via malicious apps.