The vulnerability was reported by security vendor Nightwatch Cybersecurity, who said it could be utilised to "uniquely identify and track any Android device" and also to "geolocate users".
Nightwatch said it had reported the flaw to Google back in March and that the company said it would only fix the issue in Android 9 or Pie. Older versions would not be patched, according to Nightwatch's advisory.
While users have been advised to upgrade to Android 9, that is not possible for anyone apart from those who use Google's own Pixel phones as every manufacturer customises Android and has to issue fixes and upgrades themselves.
"Some of this information (MAC address) is no longer available via APIs on Android 6 and higher, and extra permissions are normally required to access the rest of this information.
"However, by listening to these broadcasts, any application on the device can capture this information thus bypassing any permission checks and existing mitigations."
The company said forks of Android, like FireOS which runs the Amazon Kindle, were also affected by the vulnerability.
"Because MAC addresses do not change and are tied to hardware, this can be used to uniquely identify and track any Android device even when MAC address randomisation is used," Nightwatch said.
"The network name and BSSID can be used to geolocate users via a lookup against a database of BSSID such as WiGLE or SkyHook. Other networking information can be used by rogue apps to further explore and attack the local WiFi network."
The company said the issue could be replicated on anyone's device by following these steps:
- Install the “Internal Broadcasts Monitor” application developed by Vilius Kraujutis from Google Play.
- Open the application and tap “Start” to monitor broadcasts.
- Observe system broadcasts, specifically “android.net.wifi.STATE_CHANGE” and “android.net.wifi.p2p.THIS_DEVICE_CHANGED”.