An exploit has been found in the Android operating system that affects Android 4.1 to 4.3, aka Jelly Bean, which began shipping in mid-2012 and was the primary version of Android through late 2013.
Before KitKat (Android 4.4) all versions of Android used the version of WebView found within the Android browser for rendering HTML webpages, and it’s this WebView component that is vulnerable.Android 4.4 and 5.0 are unaffected as they use Blink rather than WebKit for their WebView. This isn’t a minor issue as approximately 46% of currently active Android devices use the affected OS.
When contacted in regards to the exploit, Google responded with the following:
“If the affected version [of WebView] is before 4.4, we generally do not develop the patches ourselves, but welcome patches with the report for consideration. Other than notifying OEMs, we will not be able to take action on any report that is affecting versions before 4.4 that are not accompanied with a patch”
Essentially stating they had no intention of patching it themselves.
Of course, Google releasing a patch for Android 4.3 and below wouldn’t be the only step. Original equipment manufacturers (manufacturers who sell other’s products under their own name and branding, such as ACER using Intel Chips or ASUS’s ZenUI, a custom version of Android 5.0), or OEMs, would need to include that patch in their own firmware updates, which would still require further validation and customization from mobile operators.
All of this making it less likely that an Android user would ever receive any patch Google were to release.