A 5 year old bug in a Qualcomm chipset used in many Android phones allows a hacker to elevate their privileges and read SMS and call history data, change system settings or disable the lock screen.
Hackers could exploit this bug by having physical access to an unlocked phone or by getting a user to install a malicious app.
The bug affects older versions of the Android OS, like version 4.3 and earlier, the most. Since that software is likely not supported by anyone, those phones likely will never be patched.
The Android OS added something call Security Enhancements for Android in version 4.4 which reduces significantly but does not eliminate the problem. This is the main reason why Apple tries really hard to force people to upgrade OS versions, even if it means that they have to trash their old phones.
Congress is now investigating the issue of OS support in old phones (yes – we’re from the government and we’re here to help you), however, that is unlikely to change anything any time soon.
Google released a patch for this bug on May 1, but given the carrier’s track record at releasing patches, it is likely going to be months before most users see that patch – if ever. Google says that Nexus phones are not vulnerable to this – I assume this means that they do not use the Qualcomm chip that is at the heart of this problem,
For any given user, it would be difficult to figure out whether their particular phone is susceptible, but users running Lollipop (V5) and Marshmallow (V6) are likely least affected.
One more time, Apple beats Google because they control the supply chain end to end. In a closed world, where one company makes the phones and the OS, they can force patches quickly. In the Android world, Google can release patches and patch their Nexus phones, but have very little control over the handset makers like LG and Samsung or the Carriers like AT&T or Sprint.
Congress could potentially have some impact here, but I am not counting on them doing anything smart. They do not seem to have a good track record.
Information for this post came from Ars Technica.