Google has come under fire from security professionals, including Rapid7, for discontinuing security updates for Android 4.3 devices and lower, leaving 969 million users vulnerable to a bug in the WebView tool.
Android uses WebView to allow apps, such as an RSS reader, to display web content inside of an app. The tool in newer versions of Android 4.4 (KitKat) is based on Chromium while it is unbundled from the Android 5.0 (Lollipop) OS updates and can therefore receive security updates through Google Play.
But, according to Rapid7, “as of January 5, 2015, the current release, Lollipop, is less than 0.1% of the installed market.”
So Google's strategy leaves quite a large number, hundreds of millions, vulnerable to attack by hackers who could infect the devices with malware. Now, close to one billion Android phones will not receive Google security patch support.