x PhoneArena is hiring! Reviewer in the USA
  • Hidden picShow menu
  • Home
  • News
  • Roughly 939 million Android phones affected by a grave bug, Google won't do anything about it

Roughly 939 million Android phones affected by a grave bug, Google won't do anything about it

Posted: , by Peter K.

Tags:

Roughly 939 million Android phones affected by a grave bug, Google won't do anything about it

According to Tod Beardsly, a security analyst with Rapid7, all Android version below Android 4.4 KitKat are suffering from a pretty serious security vulnerability, which leaves them out on a limb, susceptible to malicious hacker attacks.

It seems that the culprit for this security hole is a bug found inside Android WebView, an undividable part of Android 4.3 and lower builds, which allows you to display online content in a given app. It's works alongside numerous other core Android services, which, naturally, leaves a security breach as wide as the Grand Canyon.

This security flaw leaves roughly 939 million Android handsets vulnerable to malicious attacks, which is a pretty serious figure. Generally, one might speculate that Google will be addressing the flaw as we speak, working on an urgent hotfix. However, one would be quite wrong, unfortunately.

It seems that Mountain View is not concerned at all about the WebView security issue, declining to fix the problem, and leaving the various OEMs to cope with it themselves. Considering the fragmentation of the platform, this generally means that a lot of these might not address the issue, too.

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch,” Google reasoned itself in front of Ted Beardsly.

Google uses another similar component for Android 4.4.x KitKat and 5.0 Lollipop, which means that they can't be affected by the WebView bug. Yet, these versions of the OS are not as widely-present as the older ones.

It looks like Tim Cook might have been entirely correct when he claimed that Android is a "toxic hellstew of vulnerabilities". Any thoughts?

source: BGR

55 Comments
  • Options
    Close




posted on 13 Jan 2015, 02:47 6

1. iushnt (Posts: 1482; Member since: 06 Feb 2013)


Will it really affect general people? Those who use phone for really classified communication will definately have latest secured device..

posted on 13 Jan 2015, 03:39 12

13. Duketytz (Posts: 534; Member since: 28 Nov 2013)


Nah Phonearena just wants you to know Google socks even though this isn't google's fault. Blame it on the OEMs who refuse to update devices past jellybean

posted on 13 Jan 2015, 10:06

32. LiquidGalaxy (Posts: 327; Member since: 03 Jul 2013)


Well no, lets not be stupid, Jellybean isn't exactly an old OS, so it's nothing to do with that..

posted on 13 Jan 2015, 10:44 5

34. sgodsell (Posts: 3056; Member since: 16 Mar 2013)


They conveniently left out the part that this can be fixed by using the latest browser's on even the older Android devices.

posted on 13 Jan 2015, 08:14

27. XperiaFanZone (Posts: 2010; Member since: 21 Sep 2012)


EDIT: ...

posted on 13 Jan 2015, 12:01 1

43. InspectorGadget80 (unregistered)


I don't see my XPERIA Z1 have a bug in it. Just because Took says it have bugs in it? How bout all those stolen CELEBRITY pictures taken from the iCloud can u explain that

posted on 13 Jan 2015, 12:30

44. torr310 (Posts: 769; Member since: 27 Oct 2011)


I wonder if Android can be updated/tinkered by a single patch like Windows updates? That would solve the problem!

posted on 14 Jan 2015, 08:55

51. michaelny2001 (Posts: 86; Member since: 01 Aug 2012)


guys, think about it this way, if somebody didn't upgrade from 4.3 or 4.2, why would they update this??? People are too lazy to check for updates (I have a buddy who never does that, unless i do it for him) or their handsets doesn't support it. So this is a lose-lose situation. Just upgrade to the goodness of kitkat, 4.4.4 and all good. this is why google won't do anything about it. Do yo usee Apple servicing ios 4.0? No it's all about 8.0.2 or whatever the version is.

posted on 13 Jan 2015, 02:50 32

2. joey_sfb (Posts: 5236; Member since: 29 Mar 2012)


How is it more vulnerable compare to other platforms? This article reads as bad as the Apple propaganda slide.

posted on 13 Jan 2015, 03:05 23

4. itsjustJOH (Posts: 231; Member since: 18 Oct 2012)


I even think they just tried to publish the article just so they can use that photo.

posted on 13 Jan 2015, 04:22 7

16. Finalflash (Posts: 2719; Member since: 23 Jul 2013)


They want to start a flame war for their advertising problems. If they had a decent article with actual analysis once in a while, they would have legitimate page views and actual, long-term, revenue instead of this short term flame-bait crap.

posted on 13 Jan 2015, 07:02 3

21. Commentator (Posts: 3651; Member since: 16 Aug 2011)


Which is weird because you'd think they'd use the opportunity to create a 36-picture slideshow of the photo as well. This IS PhoneArena, after all.

posted on 13 Jan 2015, 03:35 8

12. RajRicardo (Posts: 372; Member since: 28 Feb 2014)


LOL! And look at google. Trying to point out bugs in Windows 8.1. Pathetic.

posted on 13 Jan 2015, 10:46 3

35. sgodsell (Posts: 3056; Member since: 16 Mar 2013)


The author left out the part that even on older versions of Android, if you upgrade to the latest browser then this bug is a no show.

posted on 13 Jan 2015, 03:00 27

3. amiaq (Posts: 509; Member since: 30 Jun 2012)


Lately I found articles in Phoenarena very bland and unexciting. I rarely spend more than 5 minutes skimming the article titles.

posted on 13 Jan 2015, 03:08 17

5. tech2 (Posts: 3326; Member since: 26 Oct 2012)


LOL......I wrote something very similar a couple of days back but mine was removed as it got many likes i.e. many people agreed with me.

posted on 13 Jan 2015, 03:08 2

6. Jamoga (Posts: 187; Member since: 17 Dec 2014)


well idk how the bug is supposed to be, but if it universal across android phones below kitkat, then google should do something about it. oems as we ve seen, how long it takes them to get updates out. next we knw is android 6 is out.

posted on 13 Jan 2015, 07:42 5

24. blingblingthing (Posts: 521; Member since: 23 Oct 2012)


Google has already addressed the problem. It's called android lollipop.

posted on 13 Jan 2015, 16:12

45. AlikMalix (Posts: 4828; Member since: 16 Jul 2014)


Great! The less-than-1% of android users are taken care off.

posted on 13 Jan 2015, 03:17 9

7. Jamoga (Posts: 187; Member since: 17 Dec 2014)


Phone arena posts somethings of iphone, good or bad, is iphone arena, they post bad of android, phone arena is boring, they have nothing to report. what shall they report :/ spontaneous get news from thin air .. all phone news i want, i get it here. # naggers!

posted on 13 Jan 2015, 04:53 4

18. AlikMalix (Posts: 4828; Member since: 16 Jul 2014)


That's exactly the way I see it!!! +100

posted on 13 Jan 2015, 03:22 5

8. GeorgeDao123 (Posts: 423; Member since: 20 Aug 2013)


Oh yeah, it takes over two years for Mr. Tod Beardsly - an expert - to announce this serious bug. So, how about other hackers? How long did it take them to issue and use that bug? Well, they may not have known whether that bug exists or not until our guy tells the world about it and he always know Google and its partners won't do anything for sure, because Android JB development has been discontinued for over a year.

This is nothing but a trick backed by Google's rivals.

posted on 13 Jan 2015, 10:52 1

36. elitewolverine (Posts: 4993; Member since: 28 Oct 2013)


When jb is on the majority of devices, with no upgrade path like a PC for solely software then yes its a problem.

posted on 13 Jan 2015, 03:23 6

9. JMartin22 (Posts: 1889; Member since: 30 Apr 2013)


One of these types of propaganda articles spring up for the sake of views. Because PA knows that when it's polarizing, it sells. This has no consequence to the typical everyday user anyway.

No one Android firmware version is the same across all devices anyway, OEMs often modify and iron out bugs in the coding anyway that Google would otherwise overlook and address in a later iteration of the OS.

posted on 13 Jan 2015, 03:31 3

10. boosook (Posts: 1413; Member since: 19 Nov 2012)


This is pure FUD.
If you own a Nexus, then your phone is updated unless it's more than three years old (galax nexus). Now we can discuss if this is enough or not: I agree that the limit should be higher, but most people changhe their phone before it's three years old.
If you own a phone by another manufacturer which has not been updated to kitkat, this means that your manufacturer has ended the support for that phone and your firmware would not be updated anyway. It would be completely wasted effort for Google to patch Android version prior to Kitkat, because no manufacturer in the world would then push the update to its customers.
So blame your manufacturer. I'm blaming Sony that ended support for my Xperia V after one year and a half, not Google.

posted on 13 Jan 2015, 03:32 1

11. itsdeepak4u2000 (Posts: 3702; Member since: 03 Nov 2012)


Mountain View is not viewing WebView. :)

This means either OEMs should provide the fixes or the phones before 4.4 should die.

posted on 13 Jan 2015, 04:00 10

14. RebelwithoutaClue (Posts: 2630; Member since: 05 Apr 2013)


Sorry PA, but you made a mistake there. Tim Cook was't the one who said toxic hellstew, he just quoted Adrian Kingsley-Hughes. It's says so on the image even. geesh... And one major bug doesn't make a toxic hellstew. But leave it to Tim to exaggerate the facts.

posted on 13 Jan 2015, 04:16 4

15. RebelwithoutaClue (Posts: 2630; Member since: 05 Apr 2013)


Also out of those 939 million phones, how many of them are used as feature phones and don't even go online? Or have Chrome installed? Tempest...teapot...

posted on 13 Jan 2015, 04:28 8

17. PapaSmurf (Posts: 10409; Member since: 14 May 2012)


PA is sloppy and unorganized. The f---ing picture itself shows the person who said the quote.

Jesus himself can't help this site.

posted on 13 Jan 2015, 07:34 4

23. Captain_Doug (Posts: 985; Member since: 10 Feb 2012)


It's going downhill for sure. Which is a shame. They have an amazing data base of devices. They just need better writers. Or at least ones that care.

posted on 13 Jan 2015, 05:36 3

19. RareCandy (banned) (Posts: 61; Member since: 20 Nov 2014)


If malware, then android.
if bugs, then android

ends of discussion :)

posted on 13 Jan 2015, 09:13 2

30. RebelwithoutaClue (Posts: 2630; Member since: 05 Apr 2013)


If stupid comment, then RareCandy

END (no s) of discussion :)

posted on 13 Jan 2015, 06:08 4

20. Captain_Doug (Posts: 985; Member since: 10 Feb 2012)


Where are these bugs and viruses everyone is talking about? People are crazy. I've never had either that wasn't a custom rom bug due to development (which is to be expected).

posted on 13 Jan 2015, 10:56

38. elitewolverine (Posts: 4993; Member since: 28 Oct 2013)


Come to my job, I do no less than 2-5 exchanges a day for a crashing os, .com, process error, fail to boot past startup, etc. At minimal I do 700 android replacements a year. That could actually be more, mine is on the low end of exchange rate percentages. My team alone exchanged a crap ton. Lets not forget the android update that bricked calls for the M8 for a month, that was literally due to a google update. Uninstalling google service update cleared up problem instantly. I could offer more. But blind people dont grow eyes.

posted on 13 Jan 2015, 07:07 3

22. AfterShock (Posts: 3698; Member since: 02 Nov 2012)


Tell them to use Chrome over a outdated browser built in.

I guess Googles masses are hooped if that's too hard.

Its like we have a bunch of former ifans or something an they can't switch settings, sheesh!

posted on 13 Jan 2015, 10:36

33. isprobi (Posts: 607; Member since: 30 May 2011)


For the type of people that frequent this site your comment makes sense. But for most people I know they just want a phone that works. They don't even know how to turn off notifications that drive them crazy or even what all those symbols on the notification bar mean. I really think a more user friendly experience is needed. There should be a fairly comprehensive "wizard" that walks people through the most common settings when they start their phone for the first time. And every application should do the same thing. Lastly a user should be able to re-run the wizard whenever they want to change something.

posted on 13 Jan 2015, 10:58

39. elitewolverine (Posts: 4993; Member since: 28 Oct 2013)


Your holding the phone wrong, dont use the built in apps they are prone to security flaws and problems, use these 3rd party apps instead....come on that's a copout and you know it. You know MS would never get away with that crap.

posted on 13 Jan 2015, 11:48

42. corporateJP (Posts: 2431; Member since: 28 Nov 2009)


No, MS gets away with imploding a company from the inside and taking them on the cheap.

By the way, how did their Danger hostile takeover work out? Oh, never mind, the Kins failed and Andy Rubin moved to Google...

posted on 13 Jan 2015, 19:56

46. elitewolverine (Posts: 4993; Member since: 28 Oct 2013)


Like google did with Moto. Your drivel is worthless, yes yes MS bought Nokia. Guess what the board of Nokia could have gotten rid of elop at any moment. Do you know how CEOs work? Also they didn't hire elop because Nokia was doing awesome. Go figure. But go ahead. Instead of posting an actual response that has any merit you post one like yours. So here have a banana and go browse 9gag.

posted on 13 Jan 2015, 23:46

50. corporateJP (Posts: 2431; Member since: 28 Nov 2009)


Got any more stories today about how you exchange defective iPhones and Androids more than WP?

Newsflash: you have to actually sell someone a WP before it even puts them into a position to return it.

And that banana? Did you get it from Crispin Guzman or whatever his name is? Just curious, since he you guys are in cahoots and all. I know you cats get bored on Windows Central since there's not much going on there. So do you all time it together when you come here? Sorry, I just want to know what goes on in the heads of those that worship false idols or clean their pools (Elop), that's all. Thanks...

posted on 13 Jan 2015, 07:49 1

25. Exempt1 (unregistered)


Jelly Bean is a 2012 released OS. Why should Google still provide support for that OS? All flagship phone's are on Kitkat or Lollipop that were released in the past 2 years or more. This is a pointless article.

Also, just to make things even, Jelly Bean was the same year of iOS 6, which also has a huge security bug which Apple refuse to fix...................................

posted on 13 Jan 2015, 11:01

40. elitewolverine (Posts: 4993; Member since: 28 Oct 2013)


70% of phones are not flagship for android. And majority of users are not on kitkat or higher. 2yrs is nothing. Try being a company that stops supporting a 12yr old os and get flack for it.

posted on 13 Jan 2015, 20:33

49. Exempt1 (unregistered)


Google doesn't care about the OEM's, which is the majority of the 70%. Google gave the update to the OEM's, but they choose not to deliver it to the customers phones which are capable of running the software. Nexus devices are well supported which are what Google aim to do. Apple make iPhones, Google make Nexus. These are the two to compare when talking about these kind of figures you have stated. Samsung, LG, Sony, HTC etc are companies who are on the edge about a three year life cycle.

Also, screw Windows, these are phones. I'd be ticked if my PC OS updated every year after I just got used to it's new functions, and so would developers. I work in design, and even now some programs glitch out on 8.1, which didn't happen on 7. Also, imagine telling your elders how to use the new update every single year. It's two complete different ball games.

posted on 13 Jan 2015, 07:59 3

26. VZWuser76 (Posts: 3608; Member since: 04 Mar 2010)


What I'd like to know is, how is this any different from someone using a PC with Windows 98 or IE6 and there is a vulnerability in those platforms. Companies who stop support for a certain OS or specific programs means just that, they stopped support. Do you think if there was a major security risk, that they'd issue a patch for something like Win98 or Win2000? No, they expect you to move up and upgrade.

posted on 13 Jan 2015, 08:29 2

28. Extraneus (Posts: 121; Member since: 02 Jun 2012)


You're comparing support for a 14 year old OS with support for a 2 year old ditto?

posted on 13 Jan 2015, 09:15 2

31. VZWuser76 (Posts: 3608; Member since: 04 Mar 2010)


That's irrelevant. End of support is end of support. I just used 98 as an example, but they also no longer support Win XP. If any threat comes out for any OS or device they've dropped support on, they're not going to see a fix. The difference is mobile OS life cycles are much shorter than their desktop counterparts, but either way, end of support is end of support. And it's no different on any platform. Windows Phone doesn't support each iteration for as long as they do their desktop Windows version, nor does Apple support each iOS version as long as their desktop counterpart.

posted on 13 Jan 2015, 20:00

47. elitewolverine (Posts: 4993; Member since: 28 Oct 2013)


Guess MS just does it better, their win8 phones will get win10, well that is the hopes. If they live up to it, then MS has solved the phone life cycle problem. Also apple supported their 3yr old product. All in all its a copout. Xp is also 13+ yrs old, your still failing at product timelines.

posted on 14 Jan 2015, 12:27

54. corporateJP (Posts: 2431; Member since: 28 Nov 2009)


Better to be in bed with the devil you know I guess is what you're saying.

Way to keep sticking up for Microsoft, they do nothing better than Apple or Google. They have their fair share of screw ups. Vista, Danger purchase, Kin phones...I won't even discuss the "N" word.

And, you put the cart before the horse with your speculation on current or previous WP models getting any update to 10.

I got a Nokia 800 that would tell you an entirely different story, stuck on 7...

By the way, you still got some of those bananas from Crispin?

posted on 13 Jan 2015, 08:43 1

29. hortizano (Posts: 274; Member since: 22 May 2013)


But I can't help been in love with Android... If you love something, you got to accept it with his/hers/its flaws...

posted on 13 Jan 2015, 10:53 1

37. TRUVILLE (Posts: 146; Member since: 11 Sep 2014)


And that's why I only buy Google edition, Nexus ,android wear, and moto x product

posted on 13 Jan 2015, 11:05

41. mildorzalost (Posts: 140; Member since: 03 Jun 2014)


Google is an asshole, bitching with Microsoft because windows have a bug and didn't fix it during 90 days, and then they have this a lot more dangerous bug and they just decided that they're not gonna fix anything...

SHAME ON GOOGLE

posted on 13 Jan 2015, 20:01

48. elitewolverine (Posts: 4993; Member since: 28 Oct 2013)


Their 'fix' as all android apologist here will cry, is 4.4 or use chrome.

posted on 14 Jan 2015, 11:08

52. Android4EveryOne (Posts: 20; Member since: 19 Apr 2014)


Phonearena.com is pure trash!

posted on 14 Jan 2015, 11:24 1

53. PhillyG411 (Posts: 2; Member since: 09 Jan 2015)


Ill take any android even running ice cream sandwich before illl buy any pos applep products which are simplistic and designed for senior citizens and moms who have no clue what an OS.

posted on 15 Jan 2015, 00:04

55. jviral (Posts: 4; Member since: 04 Jan 2015)


Any thoughts? Well done, Peter K.! Absolute biased piece of trash article. It is an OEM issue if the new software is available but they refuse to update the device. Also, a simple fix: update your Web browser. Why don't you mention that, Peter? Convenient article in the shadow of Microsoft controversy that Google pointed out a security flaw and Microsoft refuses to patch. Interesting. Maybe a little motivation thrown Peter'$ way.

Want to comment? Please login or register.

Latest stories