Whenever asked about security and malware in Android, Google always explains how it keeps updating the security of its mobile operating system to make sure users are safe, while simultaneously minimizing the risks. Even so, millions of Android users are affected by malware, and security researchers have just discovered a serious issue that might affect as many as 1 billion devices — and Google isn’t willing to fix it. Or at least, not by itself.
Rapid7’s Tod Beardsley discovered a security bug in WebView, a component used to render web pages on an Android device inside an app that’s not necessarily an Internet browser, which affects all Android versions before Android 4.4 KitKat. That’s a large number of smartphones and tablets, according to Google’s own Android distribution stats.
Google has somewhat acknowledged the issue, but it’s not issuing a fix for the affected devices, though it would support patches coming from third-parties and device makers.
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration,” the company said. “Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.”
Even if the security threat might be important, and hackers could take advantage of it in the future — it’s not clear whether any attacks based on this potential exploit have affected any users — Google isn’t in a position in which it could update by itself that many devices, because the security flaw is baked into the OS.
The company would have to work with OEMs and carriers to release OS updates that would patch the vulnerability. And Android OS updates have never been rolled out on such a massive scale. Nor have they been timely.
On newer devices, starting with Android 4.4, Google could easily roll out fixes, as the WebView component isn’t included in the core OS anymore, but in the Google Play Services app, which Google can update by itself whenever it needs to, without involving OEMs and carriers.