Android system broadcast mechanism the presence of vulnerabilities, the malware can bypass security mechanisms to track The user-to vulnerability and early warning-the black bar safety net

Foreign to the researchers of the Android Vulnerability, CVE-2018-9489. The Android system of internal broadcast mechanism will expose the sensitive user and device information, the mobile applications installed on the user’s knowledge or without permission access to this information.
! [](/Article/UploadPic/2018-9/201895161239204. png? www. myhack58. com)
The Android system of internal broadcast mechanism of leakage of data comprising: a Wi-Fi network name, Wi-Fi network BSSID, local IP address, DNS server information and the device’s MAC address and other details. Part of the information such as the Mac address in Android 6 version above, not through this vulnerability to obtain, but the rest can still listen to the broadcast to bypass permission checks and other preventive measures.
Background
Android is developed by Google for mobile phones and tablets open sourceOS, a conservative estimate of more than 20 million devices running Android. On Android applications are typically isolated from the system, but through several mechanisms you can still achieve the application process with theoperating systembetween the interaction.
For example this issue of the source. Android provides the“ Intent ”as inter-process communication one way, this mechanism allows an application or system can be sent by other applications to listen to the message. Although developers can choose to turn off or limit this mechanism, but in practice engineers often neglect to deploy limit mechanism, or shield sensitive data. This leads to the above in the Android vulnerability, the phone on the malware can monitor and capture other application to broadcast the message.
The Android system provides the most common security mechanism is permission control that are designed to protect the privacy of the user information is not affected by the infringement. The application must be through the App list“ AndroidManifest.xml ”the special“ uses-permission ”tag explicitly request access to certain information or functions. According to the license type such as“normal”,“dangerous”, etc, the system can be in the application during the installation is displayed to the user authorization information, or on the run again during the prompt. Some permissions can only be by the system the application uses, and not to third-party developers open.
Google Play and run the app permissions screenshot:
! [](/Article/UploadPic/2018-9/201895161239241. png? www. myhack58. com)
Vulnerability details
The Android system through the“ Intent ”mechanisms for broadcast about the Wi-Fi connection and a Wi-Fi network interface information:
WifiManager. NETWORK_STATE_CHANGED_ACTION
WifiP2pManager the WIFI_P2P_THIS_DEVICE_CHANGED_ACTION
This information includes the device’s MAC address, Wi-Fi access point BSSID, network name and local IP, gateway IP and DNS server address and other information. This information is available to the user on the device to run all of the applications use.
Although the application can also be through the WifiManager to access this information, but this is the case the application needs the list of the“ ACCESS_WIFI_STATE ”permission. Via Wi-Fi geo-location usually requires the“ ACCESS_FINE_LOCATION ”or“ ACCESS_COARSE_LOCATION ”permissions. In addition, in the Android version 6. 0 and later versions, the device’s actual MAC address is no longer through the API, and always return address“02：00：00：00：00：00”。 However, the monitoring system of broadcast application does not require these permissions, thus allowing in don’t know the user of the case to capture the information, and even Android 6 or higher version to capture the real MAC address.
Try in Android 7.0 to obtain the MAC address of the application screenshots:
! [](/Article/UploadPic/2018-9/201895161239155. png? www. myhack58. com)
The researchers used a variety of hardware and different Android versions were tested, the results display all test devices and Android versions can reproduce this problem, although some of the equipment is not in the“ NETWORK_STATE_CHANGED_ACTION ”Intent to display the actual MAC address, but they are still in the“ WIFI_P2P_THIS_DEVICE_CHANGED_ACTION ”Intent. At the same time since the MAC address is fixed and the hardware binding, so even if the device’s MAC address is randomized, you can also use it to identify and track any Android device. And for the network name and BSSID information, by querying the BSSID in a database such as WiGLE or SkyHook to locate the user. Malicious software can use this network information to further probe and attack a local Wi-Fi network. The researchers say all versions of Android are affected, including the various branches, such as the Amazon Kindle FireOS is. Google on Android P/9 fixes this problem, but not for older versions of the system to provide the update, users are advised to upgrade to Android latest version.
Problem reproduced
Through the app
For Android device users, you can press the following way to copy these questions:
1. Install Vilius Kraujutis the development of“Internal Broadcasts Monitor”application.
2. Open the app, then click“Start”to begin monitoring the broadcast information.
3. Observation of the system broadcast information, especially the“android. net. wifi. STATE_CHANGE”and“android. net. wifi. p2p. THIS_DEVICE_CHANGED”this two.
Example:
! [](/Article/UploadPic/2018-9/201895161239794. png? www. myhack58. com)
! [](/Article/UploadPic/2018-9/201895161240132. png? www. myhack58. com)
By code
Use code to reproduce, you need to create a broadcast receiver and register to receive these information:
android. net. wifi. WifiManager. NETWORK_STATE_CHANGED_ACTION
android. net. wifi. WifiP2pManager. WIFI_P2P_THIS_DEVICE_CHANGED_ACTION
The sample code is as follows:
public class MainActivity extends Activity {
@Override
public void onCreate(Bundle state) {
IntentFilter filter = new IntentFilter();
filter. addAction(

[1] [2] next