Roughly 939 million Android phones affected by a grave bug, Google won't do anything about it

According to Tod Beardsly, a security analyst with Rapid7, all Android version below Android 4.4 KitKat are suffering from a pretty serious security vulnerability, which leaves them out on a limb, susceptible to malicious hacker attacks.

It seems that the culprit for this security hole is a bug found inside Android WebView, an undividable part of Android 4.3 and lower builds, which allows you to display online content in a given app. It's works alongside numerous other core Android services, which, naturally, leaves a security breach as wide as the Grand Canyon.

This security flaw leaves roughly 939 million Android handsets vulnerable to malicious attacks, which is a pretty serious figure. Generally, one might speculate that Google will be addressing the flaw as we speak, working on an urgent hotfix. However, one would be quite wrong, unfortunately.

It seems that Mountain View is not concerned at all about the WebView security issue, declining to fix the problem, and leaving the various OEMs to cope with it themselves. Considering the fragmentation of the platform, this generally means that a lot of these might not address the issue, too.

Google uses another similar component for Android 4.4.x KitKat and 5.0 Lollipop, which means that they can't be affected by the WebView bug. Yet, these versions of the OS are not as widely-present as the older ones.

It looks like Tim Cook might have been entirely correct when he claimed that Android is a "toxic hellstew of vulnerabilities". Any thoughts?

source: BGR



1. iushnt

Posts: 3160; Member since: Feb 06, 2013

Will it really affect general people? Those who use phone for really classified communication will definately have latest secured device..

13. Duketytz

Posts: 534; Member since: Nov 28, 2013

Nah Phonearena just wants you to know Google socks even though this isn't google's fault. Blame it on the OEMs who refuse to update devices past jellybean

32. LiquidGalaxy

Posts: 332; Member since: Jul 03, 2013

Well no, lets not be stupid, Jellybean isn't exactly an old OS, so it's nothing to do with that..

34. sgodsell

Posts: 7605; Member since: Mar 16, 2013

They conveniently left out the part that this can be fixed by using the latest browser's on even the older Android devices.

27. XperiaFanZone

Posts: 2280; Member since: Sep 21, 2012

EDIT: ...

43. InspectorGadget80 unregistered

I don't see my XPERIA Z1 have a bug in it. Just because Took says it have bugs in it? How bout all those stolen CELEBRITY pictures taken from the iCloud can u explain that

44. torr310

Posts: 1708; Member since: Oct 27, 2011

I wonder if Android can be updated/tinkered by a single patch like Windows updates? That would solve the problem!

51. michaelny2001

Posts: 348; Member since: Aug 01, 2012

guys, think about it this way, if somebody didn't upgrade from 4.3 or 4.2, why would they update this??? People are too lazy to check for updates (I have a buddy who never does that, unless i do it for him) or their handsets doesn't support it. So this is a lose-lose situation. Just upgrade to the goodness of kitkat, 4.4.4 and all good. this is why google won't do anything about it. Do yo usee Apple servicing ios 4.0? No it's all about 8.0.2 or whatever the version is.

2. joey_sfb

Posts: 6794; Member since: Mar 29, 2012

How is it more vulnerable compare to other platforms? This article reads as bad as the Apple propaganda slide.

4. itsjustJOH

Posts: 232; Member since: Oct 18, 2012

I even think they just tried to publish the article just so they can use that photo.

16. Finalflash

Posts: 4063; Member since: Jul 23, 2013

They want to start a flame war for their advertising problems. If they had a decent article with actual analysis once in a while, they would have legitimate page views and actual, long-term, revenue instead of this short term flame-bait crap.

21. Commentator

Posts: 3723; Member since: Aug 16, 2011

Which is weird because you'd think they'd use the opportunity to create a 36-picture slideshow of the photo as well. This IS PhoneArena, after all.

12. RajRicardo

Posts: 503; Member since: Feb 28, 2014

LOL! And look at google. Trying to point out bugs in Windows 8.1. Pathetic.

35. sgodsell

Posts: 7605; Member since: Mar 16, 2013

The author left out the part that even on older versions of Android, if you upgrade to the latest browser then this bug is a no show.

3. amiaq

Posts: 509; Member since: Jun 30, 2012

Lately I found articles in Phoenarena very bland and unexciting. I rarely spend more than 5 minutes skimming the article titles.

5. tech2

Posts: 3487; Member since: Oct 26, 2012

LOL......I wrote something very similar a couple of days back but mine was removed as it got many likes i.e. many people agreed with me.

6. Jamoga

Posts: 187; Member since: Dec 17, 2014

well idk how the bug is supposed to be, but if it universal across android phones below kitkat, then google should do something about it. oems as we ve seen, how long it takes them to get updates out. next we knw is android 6 is out.

24. blingblingthing

Posts: 982; Member since: Oct 23, 2012

Google has already addressed the problem. It's called android lollipop.

45. AlikMalix unregistered

Great! The less-than-1% of android users are taken care off.

7. Jamoga

Posts: 187; Member since: Dec 17, 2014

Phone arena posts somethings of iphone, good or bad, is iphone arena, they post bad of android, phone arena is boring, they have nothing to report. what shall they report :/ spontaneous get news from thin air .. all phone news i want, i get it here. # naggers!

18. AlikMalix unregistered

That's exactly the way I see it!!! +100

8. GeorgeDao123

Posts: 432; Member since: Aug 20, 2013

Oh yeah, it takes over two years for Mr. Tod Beardsly - an expert - to announce this serious bug. So, how about other hackers? How long did it take them to issue and use that bug? Well, they may not have known whether that bug exists or not until our guy tells the world about it and he always know Google and its partners won't do anything for sure, because Android JB development has been discontinued for over a year. This is nothing but a trick backed by Google's rivals.

36. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

When jb is on the majority of devices, with no upgrade path like a PC for solely software then yes its a problem.

9. JMartin22

Posts: 2391; Member since: Apr 30, 2013

One of these types of propaganda articles spring up for the sake of views. Because PA knows that when it's polarizing, it sells. This has no consequence to the typical everyday user anyway. No one Android firmware version is the same across all devices anyway, OEMs often modify and iron out bugs in the coding anyway that Google would otherwise overlook and address in a later iteration of the OS.

10. boosook

Posts: 1442; Member since: Nov 19, 2012

This is pure FUD. If you own a Nexus, then your phone is updated unless it's more than three years old (galax nexus). Now we can discuss if this is enough or not: I agree that the limit should be higher, but most people changhe their phone before it's three years old. If you own a phone by another manufacturer which has not been updated to kitkat, this means that your manufacturer has ended the support for that phone and your firmware would not be updated anyway. It would be completely wasted effort for Google to patch Android version prior to Kitkat, because no manufacturer in the world would then push the update to its customers. So blame your manufacturer. I'm blaming Sony that ended support for my Xperia V after one year and a half, not Google.

11. itsdeepak4u2000

Posts: 3718; Member since: Nov 03, 2012

Mountain View is not viewing WebView. :) This means either OEMs should provide the fixes or the phones before 4.4 should die.

14. RebelwithoutaClue unregistered

Sorry PA, but you made a mistake there. Tim Cook was't the one who said toxic hellstew, he just quoted Adrian Kingsley-Hughes. It's says so on the image even. geesh... And one major bug doesn't make a toxic hellstew. But leave it to Tim to exaggerate the facts.

15. RebelwithoutaClue unregistered

Also out of those 939 million phones, how many of them are used as feature phones and don't even go online? Or have Chrome installed? Tempest...teapot...

17. PapaSmurf

Posts: 10457; Member since: May 14, 2012

PA is sloppy and unorganized. The f---ing picture itself shows the person who said the quote. Jesus himself can't help this site.

23. Captain_Doug

Posts: 1037; Member since: Feb 10, 2012

It's going downhill for sure. Which is a shame. They have an amazing data base of devices. They just need better writers. Or at least ones that care.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless