Almost a billion users of Android-based devices could find themselves at risk as Google has apparently decided to reduce the development of security updates for older versions of its operating system for mobile devices.
Google has stopped releasing security updates for portions of the pre-KitKat versions of Android, which will affect users with devices on Android 4.3 or older. This is equivalent to around 60 percent of all users of Android devices.
The news was brought to light by Rapid7 security company analysts Tod Beardsley and Joe Vennix, along with independent vulnerability finder Rafay Baloch.
The experts discovered vulnerabilities in the webview component of Android Jelly Bean, which is Android 4.3. The webview component is the one used by Android devices to display webpages.
The security experts informed Google of the vulnerability, expecting to receive a response that the company would be developing a patch to fix the issue. However, the response that they received was entirely the opposite of what they expected.
Google's response was that the company will now only be fixing issues found in Android's two most recent releases, namely Android 4.4 KitKat and Android 5.0 Lollipop.
The Android security team of Google also told Beardsley that it will "welcome" if the researchers would develop a patch, but the team will not be developing one itself. The team also said that it will inform Android partners regarding the issue, despite the fact that there would be no fix that will be released.
Beardsley found the response very bizarre, so he further contacted Google for clarifications regarding it. Once again, he was told that components for older versions of the Android OS will no longer be receiving patches to fix security issues such as the one that Beardsley discovered.
"It would appear that over 930 million Android phones are now out of official Google security patch support," wrote Beardsley in a blog post, representing the total number of users now exposed to vulnerabilities due to Google's decision.
"Any new bug discovered in 'legacy' Android is going to last as a mass-market exploit vector for a long, long time," Beardsley added.
According to Beardsley, criminals will welcome this news, as users will now become permanently invulnerable as exploits are found in the operating systems of their devices.
While users can simply upgrade their Android devices to the latest versions of the operating system, it should be noted that there are some devices that simply cannot be updated to Android 5.0 Lollipop.
Android 5.0 Lollipop currently represents less than 0.1 percent of the installed Android versions in the market.
