Researchers have discovered a weakness in all version of Android except 9, the most recent release, that can allow an attacker to gather sensitive information such as the MAC address and BSSID name and pinpoint the location of an affected device.

The vulnerability is a result of the way that Android broadcasts device information to apps installed on a device. The operating system uses a mechanism known as an intent to send out information between processes or applications, and some of the information about the device’s WiFi network interface sent via a pair of intents can be used by an attacker to track a device closely.

“Android OS broadcasts information about the WiFi connection and the WiFi network interface on a regular basis using two intents: WifiManager’s NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s WIFI_P2P_THIS_DEVICE_CHANGED_ACTION. This information includes the MAC address of the device, the BSSID and network name of the WiFi access point, and various networking information such as the local IP range, gateway IP and DNS server addresses. This information is available to all applications running on the user’s device,” Yakov Shafranovich of Nightwatch Cybersecurity wrote in an advisory on the vulnerability.

“While applications can also access this information via the WifiManager, this normally requires the “ACCESS_WIFI_STATE” permission in the application manifest. Geolocation via WiFi normally requires the “ACCESS_FINE_LOCATION” or “ACCESS_COARSE_LOCATION” permissions.”

A malicious app--or just one that is listening for the right broadcasts from Android--would be able to identify any individual Android device and geolocate it. An attacker could use this weaknesses to track a given device, presumably without the user’s knowledge. Although Android has had MAC address randomization implemented since version 6, released in 2015, Shafranovich research showed that an attacker can get around this restriction.

The Android update process is a slow one, thanks to the fact that device manufacturers have to push new versions to carriers, which then roll them out to users.

“Also, on Android versions 6.0 and later, the real MAC address of the device is no longer available via APIs and will always return the address “02:00:00:00:00:00”. However, an application listening for system broadcasts does not need these permissions thus allowing this information to be captured without the knowledge of the user and the real MAC address being captured even on Android 6 or higher,” Shafranovich said.

MAC addresses are hardware identifiers that serve as unique IDs for devices. Those IDs are permanent, so an attacker who can capture that number and other information about the device can follow the device’s movements.

“Because MAC addresses do not change and are tied to hardware, this can be used to uniquely identify and track any Android device even when MAC address randomization is used. The network name and/or BSSID can be used to geolocate users via a lookup against a database like WiGLE or SkyHook. Other networking information can be used by rogue apps to further explore and attack the local WiFi network,” Shafranovich said.

Google has implemented a fix for this weakness in Android 9, which the company released earlier this month. That update has already landed for people who own Google’s Pixel devices and will be available for other Android devices in the coming weeks. But the Android update process is a slow one, thanks to the fact that device manufacturers have to push new versions to carriers, which then roll them out to users. If they choose to.