Millions of Android users could be at risk as Google cuts back on security updates for older versions of its smartphone operating system.
The risk arises because Google has stopped producing security updates for parts of those older versions.
About 60% of all Android users, those on Android 4.3 or older, will be affected by the change.
The researchers who uncovered the policy change said it was “great news for criminals”.
How ironic: The company that made “do no evil” its motto is now increasingly a friend to evildoers as well as the National Security Agency.
Tod Beardsley and Joe Vennix from security firm Rapid7 and independent vulnerability finder Rafay Baloch contacted Google to let it know about the loophole. They expected to hear about the work Google was doing to patch the bug but instead were told that it was now only fixing bugs found in the two most recent versions of Android known as Kitkat (4.4) and Lollipop (5.0).
In a blogpost, Mr Beardsley said Google’s Android security team told him it would “welcome” a patch from the researchers if they produced one but would not be making one itself. It added that it would tell its Android partners about the bug even though no fix would be forthcoming.
Mr Beardsley said the response was so “bizarre” that he contacted Google for clarification and was told again that many components of Android in earlier versions of the OS would not be getting fixes.
Tod Beardsley is to be commended for exposing Google as an irresponsible software developer. It is truly appropriate that two of the news categories here on Leave Google Behind are Shoddy Security and Undependable Support. That’s exactly what you get when you buy a product running Google software, especially mass-produced Android smartphones. Google will gladly keep on tracking you even while they leave the holes in the operating system they made for your phone unpatched.
A word to the wise: Leave Google Behind. Stay far, far, far away from Android. Get a phone running BlackBerry, Windows Phone, or Firefox OS instead.