So the majority of Android users who will not be able to upgrade will still be at risk?
Solution, buy a new phone.
Jay Freeman, aka @saurik, has detailed another Zip implementation bug in pre-4.4 (Kit Kat) versions of Android which, similarly to the notorious APK vulnerability exposed earlier this year, opens a hole that malware can sneak through. Freeman – whose previous credentials include security analysis of Google Glass and uncovering …
You do realise that there are repositories of legitimate Android apps other than the Play store, don't you? - or perhaps not.
This isn't an Apple-like situation, where there is only one source allowed - downloading apps from somewhere other than Play doesn't automatically place an individual in the " retards that "shop" for warez" category.
I've just had a look at CyanogenMod – they pulled the fix in just yesterday. Here's the commit for the 10.2 branch.
I fully expect that they're not the only ones to have pulled it in.