New Android Bug Potentially Risks a Billion Phones and Tablets

A serious new bug has put almost a billion Android devices, or almost 60% of all Android-running phones and tablets under threat. If your phone or tablet runs on version before 4.4 KitKat, you could be in trouble too.

The bug was found by Joe Vennix, an engineer at Rapid7 and Rafay Baloch, an independent researcher. It lies in the WebView component of the older OS versions, allowing apps to view what content you’re surfing, without launching a separate app, of course. This is a huge security compromise, through which your info can be accessed by any entity anywhere.

This isn’t the first time that Android browser has come under scrutiny; last year we saw some major flaws being uncovered. The later versions of Android aren’t affected by it since they run Blink rather than WebKit for WebView, which used to be a part of the Android Open Source Program (AOSP). However, though the browser has been replaced by Chrome in the newer versions, it comprises for almost half of all traffic.

Unsurprisingly, when Google were notified of the flaw, it was hesitant to take any action at all, instead preferring to notify its partners to offer some remedy. Here’s what it had to say:

If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.

We consider the matter closed, then.

Ironically, this news came after Google had publicly derided Microsoft for a flaw in Windows 8.1. Though, Microsoft is most likely expected to fix that issue soon, Mountain View cannot be expected in the least to do the same.

As for the users, the least they can do is stop using apps that they don’t trust. That would count out a few major names surely. While OEMs can’t possibly update all the devices, Google has now pushed more functionality in services such as Google Play Services and Play Store. In version 5.0 Lollipop, the same goes for WebView too. Where possible, though, you should not refrain from updating the OS any further.


  • MuTaTeD

    Is it Google’s job to push update to devices running 2 year old operating system or the Manufacturing partners and Carriers? Google fixed this bug over an year ago when they pushed 4.4 to OEMs and Carriers.

    Now if the OEMs and Carriers are dragging their feet and not updating the devices they are responsible for (and in fact still selling then today) then why should Google take the blame.

    Also please show any device officially sold by Google in the last 2 year (Nexus & developer Edition series) which still have this bug since Google can be held responsible for those devices.

    Please check your facts and apply some logic before copy pasting publicity/defamation stunt articles from the internet.

    • DJ

      Looks like someone has so much pain after reading this article .. we are with you Buddy . Heil Google :)

      • Adeel

        Hahahaha
        Poor Google

    • Amir

      Regarding your Microsoft example, yes, it would surely push the update if it officially is supporting that OS.

      Google did not announce over stopping support for older versions, these reporting persons only came to know after they contacted Google for above mentioned flaw.

      And no, it’s not Carrier’s duty, it’s Google’s duty because they are the ones who make OS, carriers just add their Gimmick features to it and a minor touch ups. Moreover, it’s not just major Giants who are using Android but many small-medium based mobile phone companies which are using the vanilla Roms. Is it logical to ask every phone making company to ask to put their developers on finding and fixing the bugs or just Google releasing the patch which could be used by all?

      • MuTaTeD

        Google has mentioned 18 months for support time for devices it is responsible for and has also been trying to get licensed OEMs and Carriers to provide the same support & update period…

        As mentioned before, the bug was fixed by Google in 4.4. Now it is up to the OEMs and Carriers to push this update to their customer devices since this fix needs to make some core files modification which are locked by the Carriers & OEMs when they deployed their firmware and ROM so only someone who has the unlock key can update the said files.

        Case in point. Google provided Android 4.4 in Oct/Nov 2013 to OEMs. Motorola updated their supported devices and announced which devices would be getting the KitKat treatment in late November 2014. Atrix HD is one of those devices which was supposed to get the KitKat update. (Ref: https://motorola-global-portal.custhelp.com/app/software-upgrade-news/g_id/1949/action/auth#gs=)

        The other devices from the same family (different Carriers) began receiving these updates in March 2014, however Atrix HD is still stuck at 4.1 more than 1 year after this announcement since AT&T (the Carrier partner who sold this device) is not interested in providing the update to its customers since updating old phones cuts into their bottom line and they would rather sell their customers new phones rather supporting old ones.

        So @Amir please let us know is it Google’s fault that they fixed the problems in their OS and released a new version or Motorola’s fault that they quickly (within 3 months) provided updates for devices they they were supporting or Carrier’s fault for not pushing those updates to customers.

        In short if getting the bugs fixed is so important for users, then they should invest in Nexus or Developer Edition phones rather than Mediatek and other cheap chipset Chinese phones or force their carriers and OEMs to provide updates for their devices.

        Edit: The bug in question is actually in webkit which is kindly provided by Apple to the Open-source community (since it is a fork on KHTML) so really by this logic it should be Apple’s responsibility or KDE team responsibility to fix this bug and push it downstream

    • Guest

      Have a chill pill, MuTaTeD, and be rational.

  • Google Project Zero team is more busy in finding bugs in the rival’s OSes!

  • Atifsh

    stupid article/headline, not just here obviously idea was taken from elsewhere.
    facts.

    1: does the problem exists on nexus S and galaxy nexus?? my info it was patched
    2: newer phones were updated to 4.4
    3: android is open source, its oem’s problem they didnt updated at their end, google already updated for everyone, they (oem) just have to do for themselves.
    4: google waited 3 months before posting windows issue, so stop bashing wrong people.

    • Shahid Saleem

      Your info is wrong, Nexus S and Nexus both have this bug.

      • Atifsh

        well if that’s true, its on Google as these 2 phones are Google’s responsibility, rest are oem’s.

        • Shahid Saleem

          Not really, those products have reached EoL status long ago.

          • Atifsh

            eol is not the issue here, as other oem will say same, thing is all these phones that are oem are way faster and newer than nexus S and galaxy nexus yet oem refuses to update.

            • Shahid Saleem

              It doesn’t matter what ***YOU*** believe, according to Google, both products are EOL’d in terms of support. In Nexus S and Google Nexus case, yes, EOL is the issue.

              • Atifsh

                you just need to comment right?
                issue raised is millions of phones with the bug
                issue raised its google problem they should fix it
                you said older nexus aren’t fixed
                you said its not google issue as these devices are eol
                you see you are all over the place.

                fact remains, if it is the issue and everyone blame google to fix the problem for their older devices than eol doesnt matter.
                if you are going to play eol card than stop blaming google.

                by the way i dont blame google, i just blame them for these 2 devices and google has recently posted why they cant fix these phones so i have been answered.

                • Shahid Saleem

                  Once again: it does not matter what ***YOU*** believe, or what you ***WISH***, only matters what Google ***WILL*** do.

                  And Google is not going to update Nexus S or Google Nexus to fix the bug. You can come up with any reason for that or for being unhappy but who cares? It’s Google’s choice to say EOL. And they have said it.

                  In fact, there are known Nexus 4 bugs that are marked WONTFIX. As far as Google is concerned, it is not even a priority any more.

                  • Atifsh

                    Once again —YOU— just needed to comment!
                    Check again, i never had the issue with this bug news and affected devices.
                    You’re wasting your intellect on wrong person here.

                    • Shahid Saleem

                      Now you are not being honest. First you ask if it affects Nexus S. When told it does, you say “it’s on Google”. Repeatedly after being told it’s orphanned by Google, you say “i never had the issue”

                      Fool, if you never had the issue, you would never have cried about OEM and Google not EoL devices.

                      But your last sentence is 100% truth.

                    • Atifsh

                      lets finish this you can bark all you want, go and see my first comment. that comment was for the article. you corrected my info and i agreed to it.
                      thats it. ignoring now

  • Anzak Aleem

    Its before 4.4 why would you put a lollipop cover for this article :(
    Please be responsible, I though you guys were different and better than other Pakistani media.

  • Adeel

    Thank God i am not a user or lover of android
    I love my IOS and Windows Phone 8.1

  • ahmad raza

    So every person say iOS is most greatful operating software

  • ahmad raza

    In this operating software if any problem faced Apple support us at every time