Google said that contrary to earlier reports -- and the word "may" used in the Symantec blog post, the flaw affects all versions of Android, not just Android 4.2 and earlier.
We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG (pseudo-random number generator).Google acted quickly to patch the hole. It is already distributing patches for the flaw to device manufacturers.
Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected.
However, due to the well-criticized Android fragmentation, it could take a considerable amount of time for those patches to make their way into OEM ROM builds, and then pass inspection by various carriers.
An earlier vulnerability that exploited Android's so-called "master key" has also been patched by Google, but considering the lack of ROM updates that have arrived on various handsets we have access to, that fix hasn't arrived yet, either, at least not to all handsets on all carriers.