Use latest Android if possible, urge security professionals

Android users advised to upgrade to latest version of OS as Google stops security updates for version 4.3 and earlier

Security professionals are urging Android users to update to the latest version of the mobile operating system (OS) after Google decided to halt security updates for version 4.3 and earlier.

The decision leaves around 60% of Android users without security support because of the policy shift, which was prompted by vulnerabilities discovered by researchers in the WebView component of Android 4.3.

But millions of users may not be able to update to the latest version of Android, warned Tod Beardsley, a security researcher at Rapid7 who was among those who reported the WebView vulnerabilities to Google.

WebView, the core component used to render web pages on Android devices, was replaced with a Chromium-based version in Android 4.4.

Instead of issuing a security update for the version of WebView used in Android 4.3 and earlier, Google has decided to withdraw support for all versions of the OS released before Android 4.4.

According to Beardsley, the Android security team told him it would “welcome” a patch from the researchers if they produced one, but would not be making one itself.

“In terms of solid numbers, it would appear that over 930 million Android phones are now out of official Google security patch support,” he wrote in a blog post.

Common sense approach to security

Chris Boyd, malware intelligence analyst at Malwarebytes, said despite the potential risk of exploits and drive-by attacks, the most likely method of attack is through fake or rogue applications.

“If they avoid sites offering free versions of popular apps and games, and always read the reviews on the Google Play store, then most people will be as safe as they can be, given this new approach to updates,” he said.

Aside from being careful about installing rogue or fake apps, the most obvious way to ensure Android users remain safe is to update to the latest version of the operating system, but Beardsley pointed out that this option is not open to everyone.

He said that while Google’s decision may appear reasonable, considering it is fairly unusual to support software products that are two or more version behind, millions of users are stuck with legacy versions.

Beardsley added that users exposed to pre-Chromium WebView vulnerabilities are those users who are most likely to be unable to update to the latest version of Android to get security patches.

“The latest Google Nexus retails for about $660, while the first hit for an ‘Android Phone’ on Amazon retails for under $70.

“This is a nearly tenfold price difference, which implies two very different user bases – one market that doesn't mind dropping a few hundred dollars on a phone, and one which will not or cannot spend much more than $100.

“Taken together, the two-thirds majority installed base of now-unsupported devices and the practical inability of that base to upgrade by replacing hardware means any new bug discovered in ‘legacy Android’ is going to last as a mass-market exploit vector for a long, long time,” he wrote.

Beardsley said although it is possible for handset manufacturers, service providers, retailers, or even enthusiastic users to come up with their own patches, it is impossible to say how often this will happen or how effective these non-Google-sourced patches will be.

For this reason, he appealed to Google’s security team to reconsider its decision.

Read more on Hackers and cybercrime prevention