A security researcher has discovered a serious bug in the WebView component of Android 4.3 and below that could open up phones to malicious hackers. But Google is doing nothing about it.
The bug, discovered by Tod Beardsley from Rapid, is found in an older piece of Android software that allows apps to view web pages without launching a separate piece of software. The problem is that the piece of software is baked directly into the OS itself, and patches aren't usually built for older versions of Android. As Google explained to Beardsley:
If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch.
That's perhaps understandable, but it does leave 60 percent of Android devices vulnerable Even if Google did write a patch, the onus would fall on OEMs and carriers to issue it over-the-air. So, good luck with that.
In more recent versions of Android the bug isn't present, because the functionality that can be exploited is now rolled into the the Google Play Services app. That allows updates to be made via the Play Store—a much easier process that sending over-the-air updates for an OS.
Image by Uncalno Tekno under Creative Commons license