After patching a critical flaw in the Android OS's code and releasing it to open source, Google hinted that Perception Point's estimate that more than two-thirds of the devices would be impacted by the Linux vulnerability was “exaggerated,” according to a Threatpost blog.
“We believe that no Nexus devices are vulnerable to exploitation by third party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents third party applications from reaching the affected code,” Threatpost quoted Adrian Ludwig, Google's lead engineer for Android security, as saying. “Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in Linux kernel 3.8, as those newer kernel versions are not common on older Android devices.”
The blog noted that in a Thursday morning statement Perception Point stood by its estimations. “As stated, the bug affects android versions with KitKat and higher and it doesn't matter if the device has SELinux enabled or not. SELinux only affects the exploitation potential and as stated in the blog our research team is working on an exploitation for Android devices with SELinux enabled,” the statement said. “The results of that will be published in the next blogpost. Nexus with the newest version comes with the keyring feature compiled in. So we are still standing behind the ~66% of all android devices are affected by the bug.”