Nightwatch Cybersecurity researchers identified a sensitive data exposure via a wi-fi broadcast vulnerability in Android OS.
Researchers discovered system broadcasts by Android devices expose information about the user's device to all applications running on the device that can be intercepted and bypass any permission checks and existing mitigations on the vulnerable device, according to a 29 August blog post.
“Because MAC addresses do not change and are tied to hardware, this can be used to uniquely identify and track any Android device even when MAC address randomisation is used,” researchers said in the post. “The network name and BSSID can be used to geolocate users via a lookup against a database of BSSID such as WiGLE or SkyHook.”
The vulnerability is in part due to application developers neglecting to implement restrictions to properly mask sensitive data leading to a common vulnerability within Android applications where a malicious application running on the same device can spy on and capture messages being broadcast by other applications.
The vulnerability was patched in Android P / 9 and because this would be a breaking API change, the vendor does not plan to fix prior versions of Android. So users are encouraged to update their systems as soon as possible.