Google has ceased patching a core component of older versions of its Android mobile operating system in a move that could leave millions of Android users susceptible to attack.
Security researchers from infosec vendor Rapid7 today revealed Google would no longer provide fixes for WebView - a core OS component in Android that is used to render web pages in the Jelly Bean version (Android 4.3) and older.
WebView was replaced by the Chrome browser in the newer KitKat (4.4) and Lollipop (5.0) versions.
"In other words, Google is now only supporting the current named version of Android (Lollipop, or 5.0) and the prior named version (KitKat, or 4.4). Jelly Bean (versions 4.0 through 4.3) and earlier will no longer see security patches for WebView from Google," the Rapid7 researchers wrote.
"Up until recently, when there's a newly discovered vulnerability with Android 4.3, the folks at Google were pretty quick with a fix. After all, most people were on the Jelly Bean version of Android until December of 2013. Jelly Bean's final release was just over a year ago in October of 2013."
The researchers said after they reported a new vulnerability in a pre-Kit Kat version of WebView, they were informed by Google that the company would not take action on any reports of vulnerabilities for versions prior to Kit Kat, unless the report included its own patch developed by someone other than Google.
"I've never seen a vulnerability response program that was gated on the reporter providing his own patch, yet that seems to be Google's position. This change in security policy seemed so bizarre, in fact, that I couldn't believe that it was actually official Google policy," Rapid7 engineering manager Todd Bearsley wrote.
He said Google advised users on older versions of Android to upgrade to the latest version to ensure security.
But Bearsley called the policy shift "eyebrow-raising" given the versions of the operating system Google will no longer patch represent about 60 percent of the Android ecosystem, while the latest version - Lollipop (Android 5.0) makes up less than 0.1 percent of the installed market, according to Google's own statistics.
"This is great news for penetration testers, of course; picking company data off of Android phones is going to be drop-dead easy in many, many cases, and I fully expect that handsets will be increasingly in-scope for penetration testing engagements," he said.
"Unfortunately, this is great news for criminals for the simple reason that, for real bad guys, pretty much everything is in scope."
Google declined to comment.