A recently published Nightwatch Cybersecurity analysis comes with an alert. All Android versions are affected by this vulnerability, including forks, except for Android Pie. Google fixed the issue at hand with Android 9 but plans no fixes for earlier versions of the OS. CVE-2018-9489 is the tracking code for the issue described.
Apparently, applications can circumvent permission checks and existing mitigations by listening to system broadcasts. These system broadcasts by Android OS, says the report, “expose information about the user’s device to all applications running on the device. This includes the WiFi network name, BSSID, local IP addresses, DNS server information and the MAC address“. A rogue app gaining access to this information can use it to “identify and track any Android device”, and even geolocate it. Accessing other network information could also allow malicious apps to “explore and attack the local WiFi network”.
As mentioned, Google is aware of the problem, and has issued a fix. This fix will only be available, sadly, to those running the latest version of Android: Pie. Google “does not plan to fix older versions”, says Nightwatch Cybersecurity.