A vulnerability has been found in Android that has the potential to be very damaging. It doesn’t require any interaction from the owner of the device and allows an attacker to access the device and all of its data remotely. According to the security researcher who found the bug, it can take over the phone “before the sound that you’ve received a message has even occurred …”
What makes this even more damaging is that despite the fact that Google claims that in newer versions of the Android operating system users are protected from the worst of the bug, people who aren’t running newer versions may have to buy a completely new phone to get a fix. Google doesn’t have as much influence over the actual devices that run Android as Apple does over the devices that run iOS, Apple’s mobile operating system. For the most part, the devices in people’s hands can only be updated by the mobile carriers or the device manufacturers, two groups that have historically been very reluctant to update old devices to newer versions of Android, even in the face of security fixes.
Here’s the distribution of versions of Android that people are actually using today:
See that part of the pie marked “Lollipop”? That’s most likely what Google means when it says “newer versions”.1 So the vast majority (approximately 88%) of Android devices people are actually using are completely vulnerable to this. And according to the most recent IDC smartphone market share data, Android has an estimated 78% of the smartphone market as measured by shipments.2 This means as much as two-thirds of the smartphones currently in use are completely vulnerable to this attack With possibly no relief other than “buy a new phone”
This has the potential to significantly impact the mobile market. It will be interesting to see how everyone handles it.
Version Codename Distribution 2.2 Froyo 0.3% 2.3.3-2.3.7 Gingerbread 5.6% 4.0.3-4.0.4 Ice Cream Sandwich 5.1% 4.1.x Jelly Bean 14.7% 4.2.x 17.5% 4.3 5.2% 4.4 KitKat 39.2% 5.0 Lollipop 11.6% 5.1 0.8%
Of course, there are potentially huge flaws with measuring “market share” this way, but let’s leave that aside for now … ↩