Google: We've fixed most of CIA's alleged Android exploits

Android and Chrome users with the latest updates shouldn't be worried about WikiLeaks' data dump on the CIA, according to Google.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

Google Pixel, which has the latest Android version, should be safe from the CIA's exploits, Google says.

Jason Cipriani/CNET

The CIA won't be able to hack into the latest Android devices, according to Google.

The tech giant said Thursday that the CIA's alleged exploits and malware detailed in WikiLeaks' "Vault 7" release are already out of date. WikiLeaks released thousands of documents on Tuesday, accusing the CIA of creating malware and taking advantage of hidden exploits to crack into phones, TVs and cars. CNET is unable to verify whether the documents are real or have been altered.

"As we've reviewed the documents, we're confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities," Heather Adkins, Google's director of information security and privacy, said in an emailed statement. "Our analysis is ongoing and we will implement any further necessary protections."

The listed Android exploits, one-third of which were named after Pokemon creatures, would give hackers remote access to devices, allowing spies to bypass encrypted messages. Different exploit programs work on different versions of Android and Chrome, including Dugtrio affecting Android devices with version 4.0 to 4.1.2, Totodile for devices running KitKat, and EggsMayhem giving remote access to devices on Chrome versions 32 to 39. Android is the OS for mobile devices, while Chrome is the OS for laptops.

The latest Android version is 7.0, while the current Chrome version is 55.0.2883. WikiLeaks' data dump from the CIA was allegedly from 2013 to 2016.

However, not every Android device has the latest update.

Because manufacturers and carriers can decide if and when certain phones get over-the-air updates for their Android devices, some people are left with older versions that can still be susceptible to the CIA's exploits.

"For some systems, like Android with many manufacturers, there is no automatic update to the system. That means that only people who are aware of it can fix it," WikiLeaks founder Julian Assange said Thursday at a press conference streamed on Periscope. "Android is significantly more insecure than iOS, but both of them have significant problems."

Apple also said its latest iOS version is protected from most of the CIA's exploits. Eighty percent of its users have upgraded to the latest version, Apple noted.

Other tech giants like Samsung, Microsoft and LG are still looking into their vulnerabilities.

Assange said Thursday he will let companies affected by the exploits look at the CIA's hacking tools so they can patch their vulnerabilities before they become public. He plans to release the hacking tools to the public once they are disarmed.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Life, disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it?