Nearly a billion users at risk from a newly found Android bug Google won't fix

[Justin Kahn]

Just days after Microsoft criticized Google for publishing a flaw found in Windows 8.1, the search giant is now getting a taste of its own medicine. A group of researchers have spotted an ugly vulnerability within older versions of Android that is putting a massive number of users at risk.

While it appears the issue has no hold on Android 4.4 and up, nearly 60% of Android users (which pushes awfully close to one billion people) are considered to be vulnerable. Researchers Rafay Baloch and a team at Rapid7 led by engineer Joe Vennix, say that the WebView component within Android 4.3, which allows apps to see webpages without launching another app, has a bug that can allow malicious hackers to tap into devices.

The bad news is that Google won’t be patching this one. According to analysts and direct statements from Google, the company does not develop patches for versions of Android before 4.4. It is also very difficult for the company to do so due to the way WebView is built-into the OS, so instead it will place responsibility on OEM’s and carriers. “Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch, “ Google said.

Users with newer Android devices don’t need to worry, as Google has dropped WebView from the core OS in favor of integration with the Google Play app. From there it can easily and readily issue updates and patches. While unfortunate news for those with older devices, Google was inevitably going to stop supporting older versions of its popular mobile OS, and this will likely not be the last bug found in left behind versions still being widely used.

Permalink to story.

https://www.techspot.com/news/59408-billion-users-risk-android-bug.html

 

[Guest]

The problem is Google CAN patch this bug, but no phone manufacturer will bother to release an update for their phones. The phone manufacturers want you to buy a new phone. If they continue to support old phones people will not see a need to buy a new one. Same goes for carriers. They make more money locking you into a contract when you buy a new phone plus they make you pay more for the phone than if you bought it from the manufacturer. Besides, if a phone manufacturer updates Android for a specific phone, there's little chance carriers will pass the update along.

If you own a Nexus phone, this bug is of little concern. Just upgrade your phone to Kit Kat or Lollipop. I'm glad I bought a Google Nexus 5 from Google. I'm not tied to ANY carrier and can switch whenever I like. Plus, I get frequent updates that fix bugs and add features.

 

[Trillionsin]

While it appears the issue has no hold on Android 4.4 and up...

Is it bad that I give no f*cks and stopped reading after that?

 

[Nima304]

Whelp, everyone else can use a custom ROM to avoid this vulnerability, I already have. Cyanogenmod is a good ROM, and their one-click installer is dirt-simple to use.

 

[Kibaruk]

Effe google, I'll get a windows phone as soon as W10 is released.

 

[cliffordcooley]

Do you honestly think Microsoft will treat you any better? Outdated is outdated in both their eyes.

 

[Kibaruk]

Do you honestly think Microsoft will treat you any better? Outdated is outdated in both their eyes.

At least I'll get an OS that WILL be patched, even if it takes some time to happen. Specially now that it'll converge into one single system to rule them all.