If there’s anyone in the mobile space who’s bad at upgrading their OS, it’s Android users. The mobile ecosystem has long suffered from abysmal adoption rates for newer iterations of the platform, with just a mere one tenth of one percent of the entire user base updated to the most recent release of Lollipop 5.0.1.
The rest are stuck in purgatory on everything from KitKat all the way down to Gingerbread and Ice Cream Sandwich, two iterations that seem positively ancient by today’s standards.
And the news doesn’t get much better from there. This Friday, Google’s Android security engineers announced the discovery of a major exploit in another outdated distribution, Jelly Bean 4.3, that uses a hole in the default web browser to burrow into a user’s root folder and gain admin access through a few simple lines of code.
This is a big problem, because even though the engineers were quick to point out that the rate of adoption for the newer iterations of their OS is growing larger every day, as it stands currently, 60 percent of all Android owners will be affected by a bug that the company has outright stated they have no intention of fixing.
According to the blog post on their Google+ page, this is because attempting to fix the flaw could seriously jeopardize the safety of upcoming builds, and would prove too difficult to implement given the state of their software distribution capabilities as they exist today.
“WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a 2+ year old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.”
For now, engineer and researcher Adrian Ludwig says users’ best bet outside of refreshing their entire OS, is to make sure that the Chrome app is regularly updated through trusted sources in the Google Play store.
Obviously this might be a difficult thing to keep on for users that aren’t upgrading core components of their operating system already.
“There are also steps users and developers can take to mitigate the risk of potential exploitation of WebKit vulnerabilities without updating to Lollipop. Using a browser that is updated through Google Play and using applications that follow security best practices by only loading content from trusted sources into WebView will help protect users.”
Considering that well over half of all Android devices currently connected to the net right now are vulnerable to the hack, this could prove to be one of the largest mobile malware targets we’ve seen in the past ten years.
Now that the news of its existence is out, it’s only a matter of time before criminals hop on board and start running their botnets at max capacity to take advantage of the upgrade gap.
Other viable solutions include using other browsers that Android can support such as the mobile version of Firefox, as well as popular apps like Dolphin and Opera Mini.