Home / News / Mobile Phone News / Android bug leaves nearly one billion handsets vulnerable

Android bug leaves nearly one billion handsets vulnerable

by

Android bug leaves nearly one billion handsets vulnerable

A security vulnerability that affects nearly one billion Android handsets has been outed by a security expert.

Tod Beardsley, an analyst with Rapid7, claims that all Android versions below Android 4.4 KitKat are affected by the issue, as reported by BGR.

This puts the total number of at-risk devices at somewhere around 939 million. Ouch.

So what’s actually gone wrong? Well apparently the issue is with Android WebView, a core bit of software for older versions of Android.

In short, it lets apps show web pages without having to open a completely separate application.

According to Beardsley, this is what makes the bug particularly potent – WebView interacts with other apps, leaving all of them potentially vulnerable.

Fortunately, anyone running KitKat or later won’t need to worry about this issue because Google replaced WebView completely.

What’s unfortunate however is that somewhere around 60 per cent of Android devices are running Jelly Bean or below.

Lollipop, which is the latest version of Android, touts an OS version share of less than 0.1 per cent.

Slow and fragmented OS updates mean that unlike Apple’s iOS userbase, many Android users are left using very old operating systems that can often be susceptible to newer exploits.

Related: How to switch from iPhone to Android: A simple guide to going Google

So why has Google left the bug open? Beardsley explains: “Maintaining support for a software product that is two versions behind would be fairly unusual in both the proprietary and open source software worlds.”

“On its face, this seems like a reasonable decision."

The best thing to do if you’re worried about this bug is update your handset to Android 4.0 or higher, circumventing the issue entirely.

toboev

January 13, 2015, 2:33 pm

“Maintaining support for a software [used by 60% of the userbase] would be fairly unusual in both the proprietary and open source software worlds.” Doesn't sound so plausible.

MattMe

January 13, 2015, 3:27 pm

Firstly, I'm sure this will amuse Microsoft seeing as Google recently went public on a Windows bug 2 days before Microsoft released a patch, much to the detriment of everyone.
Secondly, The reason why the Android-sphere is so fragmented is because the option to simply upgrade to version 4.0 or higher just doesn't exist. It seems handset manufacturers release a handset with Android then forget about it all too often. The updates just aren't available.
And lastly, Google should maintain support for a product if such a huge percentage of it's user base is still on that version.

LeeTronix

January 13, 2015, 5:37 pm

That is partly why I don't do android, it is shocking they do not properly support their own OS and the manufactures just want to sell and forget. People should move to Blackberry if they want OS perfection, although I doubt that will happen sadly.

LeeTronix

January 13, 2015, 5:38 pm

I completely agree with you MattMe,

Bugblatter

January 13, 2015, 7:09 pm

Your last paragraph says 4.0; you meant 4.4.

Mark Colit

January 13, 2015, 9:52 pm

Well said. Within six months the hardware manufacturer has released a new product/successor and bang goes support for the previous product. Ring any bells, ASUStek?

Prem Desai

January 14, 2015, 7:20 am

Very disappointed with Google's take on this. They've dumped the fix of this on to the manufacturers.

If the issue is serious and affect a large percentage of their user base, then not offering support pre 4.4 is a very poor decision. I understand the economics, but 4.4 was just a few months away. Google now appears to be saying they'll only support their OS for a few months after release- scandalous.

If Google wants to be taken seriously, it needs to address this.

torjs99

January 14, 2015, 9:12 am

blame companies like samsung that fill their phones with crapware than means they can't be updated like what the did with the uk S3. this of course is to force you to buy a new phone.

torjs99

January 14, 2015, 9:14 am

agreed. microsoft do it on billions of very different pcs

Pg

January 14, 2015, 3:03 pm

Then choose a nexus device. Upgrades are made available, usually quickly.

Pg

January 14, 2015, 3:06 pm

If the vendor won't upgrade, what makes you think Google can by pass them to update their handset? Google have released android 4.4 which fixes this, but vendors don't see why they should update - not worth it. Consumers aren't interested enough to do something about it.
And it's 4.4 you need to upgrade to, article can't get that right consistantly.

MattMe

January 14, 2015, 3:16 pm

Like I said in my comment, I'm aware that it's the vendors who are preventing users from upgrading to newer version of the Android OS; but is it not possible for Google to release patches for older versions without upgrading the entire OS to a new version?
If not it certainly should be, particularly given the fragmented nature of Android versions.

I'm aware that in this case the version required to patch the bug is 4.4, I was simply using 4.0 an example, and a quotation from the article, which was indeed incorrect advice.

MattMe

January 14, 2015, 3:20 pm

That is true, however you would be left with a choice of a large, older handset (that they stopped making, I believe) in the form of the Nexus 5, or the phablet Nexus 6.
Personally I find the Nexus 5 too large, and the 6 is just ridiculous, so what do you recommend for someone like me who likes to keep their phones in their pockets, not a trailer?

toboev

January 15, 2015, 9:27 am

"Maintaining support for a software product that is two versions behind would be fairly unusual in both the proprietary and open source software worlds.”

That is very different from saying, "We did the fix, but Samsung et al. won't push it out to your device".

comments powered by Disqus