x PhoneArena is hiring! Reviewer in the USA
  • Hidden picShow menu
  • Home
  • News
  • Roughly 939 million Android phones affected by a grave bug, Google won't do anything about it

Roughly 939 million Android phones affected by a grave bug, Google won't do anything about it

Posted: , by Peter K.

Tags :

Roughly 939 million Android phones affected by a grave bug, Google won't do anything about it

According to Tod Beardsly, a security analyst with Rapid7, all Android version below Android 4.4 KitKat are suffering from a pretty serious security vulnerability, which leaves them out on a limb, susceptible to malicious hacker attacks.

It seems that the culprit for this security hole is a bug found inside Android WebView, an undividable part of Android 4.3 and lower builds, which allows you to display online content in a given app. It's works alongside numerous other core Android services, which, naturally, leaves a security breach as wide as the Grand Canyon.

This security flaw leaves roughly 939 million Android handsets vulnerable to malicious attacks, which is a pretty serious figure. Generally, one might speculate that Google will be addressing the flaw as we speak, working on an urgent hotfix. However, one would be quite wrong, unfortunately.

It seems that Mountain View is not concerned at all about the WebView security issue, declining to fix the problem, and leaving the various OEMs to cope with it themselves. Considering the fragmentation of the platform, this generally means that a lot of these might not address the issue, too.

“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch,” Google reasoned itself in front of Ted Beardsly.

Google uses another similar component for Android 4.4.x KitKat and 5.0 Lollipop, which means that they can't be affected by the WebView bug. Yet, these versions of the OS are not as widely-present as the older ones.

It looks like Tim Cook might have been entirely correct when he claimed that Android is a "toxic hellstew of vulnerabilities". Any thoughts?

source: BGR

55 Comments
  • Options
    Close






posted on 13 Jan 2015, 02:47 6

1. iushnt (Posts: 1785; Member since: 06 Feb 2013)


Will it really affect general people? Those who use phone for really classified communication will definately have latest secured device..

posted on 13 Jan 2015, 03:39 12

13. Duketytz (Posts: 534; Member since: 28 Nov 2013)


Nah Phonearena just wants you to know Google socks even though this isn't google's fault. Blame it on the OEMs who refuse to update devices past jellybean

posted on 13 Jan 2015, 10:06

32. LiquidGalaxy (Posts: 332; Member since: 03 Jul 2013)


Well no, lets not be stupid, Jellybean isn't exactly an old OS, so it's nothing to do with that..

posted on 13 Jan 2015, 10:44 5

34. sgodsell (Posts: 3884; Member since: 16 Mar 2013)


They conveniently left out the part that this can be fixed by using the latest browser's on even the older Android devices.

posted on 13 Jan 2015, 08:14

27. XperiaFanZone (Posts: 2146; Member since: 21 Sep 2012)


EDIT: ...

posted on 13 Jan 2015, 12:01 1

43. InspectorGadget80 (unregistered)


I don't see my XPERIA Z1 have a bug in it. Just because Took says it have bugs in it? How bout all those stolen CELEBRITY pictures taken from the iCloud can u explain that

posted on 13 Jan 2015, 12:30

44. torr310 (Posts: 885; Member since: 27 Oct 2011)


I wonder if Android can be updated/tinkered by a single patch like Windows updates? That would solve the problem!

posted on 14 Jan 2015, 08:55

51. michaelny2001 (Posts: 126; Member since: 01 Aug 2012)


guys, think about it this way, if somebody didn't upgrade from 4.3 or 4.2, why would they update this??? People are too lazy to check for updates (I have a buddy who never does that, unless i do it for him) or their handsets doesn't support it. So this is a lose-lose situation. Just upgrade to the goodness of kitkat, 4.4.4 and all good. this is why google won't do anything about it. Do yo usee Apple servicing ios 4.0? No it's all about 8.0.2 or whatever the version is.

posted on 13 Jan 2015, 02:50 32

2. joey_sfb (Posts: 5987; Member since: 29 Mar 2012)


How is it more vulnerable compare to other platforms? This article reads as bad as the Apple propaganda slide.

posted on 13 Jan 2015, 03:05 23

4. itsjustJOH (Posts: 232; Member since: 18 Oct 2012)


I even think they just tried to publish the article just so they can use that photo.

posted on 13 Jan 2015, 04:22 7

16. Finalflash (Posts: 3206; Member since: 23 Jul 2013)


They want to start a flame war for their advertising problems. If they had a decent article with actual analysis once in a while, they would have legitimate page views and actual, long-term, revenue instead of this short term flame-bait crap.

posted on 13 Jan 2015, 07:02 3

21. Commentator (Posts: 3709; Member since: 16 Aug 2011)


Which is weird because you'd think they'd use the opportunity to create a 36-picture slideshow of the photo as well. This IS PhoneArena, after all.

posted on 13 Jan 2015, 03:35 8

12. RajRicardo (Posts: 401; Member since: 28 Feb 2014)


LOL! And look at google. Trying to point out bugs in Windows 8.1. Pathetic.

posted on 13 Jan 2015, 10:46 3

35. sgodsell (Posts: 3884; Member since: 16 Mar 2013)


The author left out the part that even on older versions of Android, if you upgrade to the latest browser then this bug is a no show.

posted on 13 Jan 2015, 03:00 27

3. amiaq (Posts: 509; Member since: 30 Jun 2012)


Lately I found articles in Phoenarena very bland and unexciting. I rarely spend more than 5 minutes skimming the article titles.

posted on 13 Jan 2015, 03:08 17

5. tech2 (Posts: 3475; Member since: 26 Oct 2012)


LOL......I wrote something very similar a couple of days back but mine was removed as it got many likes i.e. many people agreed with me.

posted on 13 Jan 2015, 03:08 2

6. Jamoga (Posts: 187; Member since: 17 Dec 2014)


well idk how the bug is supposed to be, but if it universal across android phones below kitkat, then google should do something about it. oems as we ve seen, how long it takes them to get updates out. next we knw is android 6 is out.

posted on 13 Jan 2015, 07:42 5

24. blingblingthing (Posts: 538; Member since: 23 Oct 2012)


Google has already addressed the problem. It's called android lollipop.

posted on 13 Jan 2015, 16:12

45. AlikMalix (Posts: 6277; Member since: 16 Jul 2014)


Great! The less-than-1% of android users are taken care off.

posted on 13 Jan 2015, 03:17 9

7. Jamoga (Posts: 187; Member since: 17 Dec 2014)


Phone arena posts somethings of iphone, good or bad, is iphone arena, they post bad of android, phone arena is boring, they have nothing to report. what shall they report :/ spontaneous get news from thin air .. all phone news i want, i get it here. # naggers!

posted on 13 Jan 2015, 04:53 4

18. AlikMalix (Posts: 6277; Member since: 16 Jul 2014)


That's exactly the way I see it!!! +100

posted on 13 Jan 2015, 03:22 5

8. GeorgeDao123 (Posts: 431; Member since: 20 Aug 2013)


Oh yeah, it takes over two years for Mr. Tod Beardsly - an expert - to announce this serious bug. So, how about other hackers? How long did it take them to issue and use that bug? Well, they may not have known whether that bug exists or not until our guy tells the world about it and he always know Google and its partners won't do anything for sure, because Android JB development has been discontinued for over a year.

This is nothing but a trick backed by Google's rivals.

posted on 13 Jan 2015, 10:52 1

36. elitewolverine (Posts: 5188; Member since: 28 Oct 2013)


When jb is on the majority of devices, with no upgrade path like a PC for solely software then yes its a problem.

posted on 13 Jan 2015, 03:23 6

9. JMartin22 (Posts: 1984; Member since: 30 Apr 2013)


One of these types of propaganda articles spring up for the sake of views. Because PA knows that when it's polarizing, it sells. This has no consequence to the typical everyday user anyway.

No one Android firmware version is the same across all devices anyway, OEMs often modify and iron out bugs in the coding anyway that Google would otherwise overlook and address in a later iteration of the OS.

posted on 13 Jan 2015, 03:31 3

10. boosook (Posts: 1437; Member since: 19 Nov 2012)


This is pure FUD.
If you own a Nexus, then your phone is updated unless it's more than three years old (galax nexus). Now we can discuss if this is enough or not: I agree that the limit should be higher, but most people changhe their phone before it's three years old.
If you own a phone by another manufacturer which has not been updated to kitkat, this means that your manufacturer has ended the support for that phone and your firmware would not be updated anyway. It would be completely wasted effort for Google to patch Android version prior to Kitkat, because no manufacturer in the world would then push the update to its customers.
So blame your manufacturer. I'm blaming Sony that ended support for my Xperia V after one year and a half, not Google.

posted on 13 Jan 2015, 03:32 1

11. itsdeepak4u2000 (Posts: 3718; Member since: 03 Nov 2012)


Mountain View is not viewing WebView. :)

This means either OEMs should provide the fixes or the phones before 4.4 should die.

posted on 13 Jan 2015, 04:00 10

14. RebelwithoutaClue (Posts: 3027; Member since: 05 Apr 2013)


Sorry PA, but you made a mistake there. Tim Cook was't the one who said toxic hellstew, he just quoted Adrian Kingsley-Hughes. It's says so on the image even. geesh... And one major bug doesn't make a toxic hellstew. But leave it to Tim to exaggerate the facts.

posted on 13 Jan 2015, 04:16 4

15. RebelwithoutaClue (Posts: 3027; Member since: 05 Apr 2013)


Also out of those 939 million phones, how many of them are used as feature phones and don't even go online? Or have Chrome installed? Tempest...teapot...

posted on 13 Jan 2015, 04:28 8

17. PapaSmurf (Posts: 10457; Member since: 14 May 2012)


PA is sloppy and unorganized. The f---ing picture itself shows the person who said the quote.

Jesus himself can't help this site.

posted on 13 Jan 2015, 07:34 4

23. Captain_Doug (Posts: 1017; Member since: 10 Feb 2012)


It's going downhill for sure. Which is a shame. They have an amazing data base of devices. They just need better writers. Or at least ones that care.

Want to comment? Please login or register.

Latest stories