sciencetech-blog

comments

A major security flaw has been found in Android, Google's phone software.

The bug could allow hackers to gain control of a device if the user is running an old version of the software.

However, the search giant has come under fire for saying it will not address the issue - which experts say could leave up almost a billion users vulnerable.

Android 4.4 and 5.0, are unaffected by the latest flaw. However, around 60 percent of Android users are using 4.3 or below, and are at risk.

The flaw is in WebView, a component used to render web pages on an Android device inside an app that's not necessarily an Internet browser, which affects all Android versions before Android 4.4 KitKat.

Android 4.4 and 5.0, are unaffected. 

However, around 60 percent of Android users are using 4.3 or below, and are at risk 

'If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration,' said Google.

'Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.'

Rapid7's Tod Beardsley discovered the security bug, and Google's response, which he described as 'some eyebrow-raising news.'

WebView is used in about 930 million Android devices, Beardsley said. 

'Unfortunately, this is great news for criminals for the simple reason that, for real bad guys, pretty much everything is in scop,' he said. 

He called for Google to take action. 

'As a software developer, I know that supporting old versions of my software is a huge hassle. 

'I empathize with their decision to cut legacy software loose. 

'However, a billion people don't rely on old versions of my software to manage and safeguard the most personal details of their lives. 

Experts have called for Google to take action and fix the issue, even though it only affects users of an old version of Android.

'In that light, I'm hoping Google reconsiders if (when) the next privacy-busting vulnerability becomes public knowledge.'

Beardsley told ZDNet that he learned of the policy change last October and suspects it coincided with the release of Android 5.0 Lollipop, the klatest version of Google's Android software..

'It's important to consider that there is no published end-of-life or end-of-support policy from Google with regard to any version of Android. 

The latest Android distribution figures from Google indicates that 46 per cent of Android devices still run on Jelly Bean, another 39.1 per cent use KitKat. Gingerbread runs on about 7.8 per cent of handsets, Ice Cream Sandwich, 6.7 per cent and Froyo about 0.4 per cent.

'Google may decide to drop support for KitKat tomorrow, though doing so would be suicidal. 

'Of course, I would expect that dropping support for 60% of your install base would also be suicidal, yet here we are,' he said.

The latest Android distribution figures from Google indicates that 46 per cent of Android devices still run on Jelly Bean, another 39.1 per cent use KitKat. Gingerbread runs on about 7.8 per cent of handsets, Ice Cream Sandwich, 6.7 per cent and Froyo about 0.4 per cent.