Millions of Android users could be at risk as Google cuts back on security updates for older versions of its smartphone operating system.
The risk arises because Google has stopped producing security updates for parts of those older versions.
About 60% of all Android users, those on Android 4.3 or older, will be affected by the change.
The researchers who uncovered the policy change said it was “great news for criminals”.
Bizarre response
The shift was brought to light by security experts who found vulnerabilities in the webview component of Android 4.3 aka Jelly Bean. Webview is used to display webpages on an Android device.
Tod Beardsley and Joe Vennix from security firm Rapid7 and independent vulnerability finder Rafay Baloch contacted Google to let it know about the loophole. They expected to hear about the work Google was doing to patch the bug but instead were told that it was now only fixing bugs found in the two most recent versions of Android known as Kitkat (4.4) and Lollipop (5.0).
In a blogpost, Mr Beardsley said Google’s Android security team told him it would “welcome” a patch from the researchers if they produced one but would not be making one itself. It added that it would tell its Android partners about the bug even though no fix would be forthcoming.
Mr Beardsley said the response was so “bizarre” that he contacted Google for clarification and was told again that many components of Android in earlier versions of the OS would not be getting fixes.
Over the last year, Mr Vennix and Mr Baloch have uncovered 11 separate vulnerabilities in the webview component.
Mr Beardsley questioned the wisdom of the decision because Google’s own statistics show that the majority of Android users, 60%, are still using the older, vulnerable versions of Android.
“It would appear that over 930 million Android phones are now out of official Google security patch support,” wrote Mr Beardsley.
Mr Beardsley did point out that it was not all bad news for Android users as some elements of the older versions, such as the multimedia player, will still be updated. In addition, Google regularly changes the requirements apps must meet to head off some security problems.
However, he added: “Any new bug discovered in ‘legacy’ Android is going to last as a mass-market exploit vector for a long, long time.”
A spokesperson for Google declined to comment on its policy change.