UPDATE: New Android Vulnerability Affects 99 percent of Devices

Recently our Josh Cannell wrote about a troubling vulnerability that could exist in 99 percent of Android devices where malware could bypass the Android security model.

Well, we have some encouraging news, Google has released a patch to fix the security hole, the update has been release to OEM’s and partners.

Gina Scigliano, Google’s Android Communications Manager, said that while Google didn’t have a statement, she could “confirm that a patch has been provided to our partners – some OEMs, like Samsung, are already shipping the fix to the Android devices.”


The issue that remains is when will we get our updates?

Because of this thing called “fragmentation” we all hear about, some will have wait longer than others and others likely won’t get one at all. Fragmentation is where newer versions of the Android operating system are released but not all Android are able to get those update causing a fragmented ecosystem.

Nearly 40 percent of devices are on versions 3.x or later. Carriers and device manufacturers have moved on from these devices pretty much saying if you want updates buy a new phone.


When vulnerabilities are found in newer operating systems like Jelly Bean, this is pretty much a guarantee that a fix will not be available for older versions because of fragmentation. Anything below 4.x likely will not see an update, outdated devices and too much work for manufacturers and carriers.

Google has been rolling out incremental updates and this has helped the carriers keep in sync, but again only with 4.x versions. Google has been making a lot of progress in securing Android but it’s gotten so big so fast the impact isn’t immediately seen.

Fortunately most vulnerabilities aren’t targeted by Android malware authors, at times it’s too much trouble on their end and there are easier targets like social engineering tactics, where we unwittingly approve their request for access to our device. No complex research, scenarios and coding involved.

There have been no reported malware targeting this vulnerability but malware authors were likely unaware also. They know now so please update your device if notified.

You can manually check for updates through Android settings; Settings -> About Phone -> System Updates. I have yet to see an update notification on my devices, I do have a Nexus 4 which gets the latest updates from Google. This isn’t too telling as it will take some time to test and roll out updates.


Armando Orozco

Senior Malware Intelligence Analyst

Faux geek who likes to keep it bland. Experienced in behavioral, PC, and mobile technologies.