More than one billion Android devices globally are no longer supported by operating system security updates, leaving them potentially exposed to a slew of harmful cyberattacks and their users at risk of being hacked, a study by the UK consumer watchdog Which? has found.
By crunching data from Google, Which? calculated that two in every five (40%) of Android devices are currently no longer receiving “vital security updates” from Google, putting them in a high risk category in terms of their susceptibility to malware and other security flaws.
According to the researchers, Android devices that are no longer supported are at high risk, with the lack of an update to the operating system “potentially putting them at risk of data theft, ransom demands and a range of other malware attacks that could leave them facing bills for hundreds of pounds.”
Which Android devices are at risk?
The current operating system version of Android, Android 10, as well as both Android 9 (‘Android Pie’) and Android 8 (‘Android Oreo’) are all reported still to be receiving Android’s security updates. However, Which? warns, using any version that is older than Android 8 will bring with it increased security risks.
The consumer watchdog’s findings reflect badly alongside data from Google about the prevalence of older versions of Android. According to Which?, 42.1% of active Android users worldwide are either using Android 6, or using an even earlier version.
In effect, this means that any user owning a Android phone released in 2012 or earlier should be concerned about the chance that their Android devices may fall victim to hackers.
Which? then went on to test several mobile phone models—namely the Motorola X, the Samsung Galaxy A5, the Sony Xperia Z2, the LG/Google Nexus 5, and the Samsung Galaxy S6—by deliberately having them infected with malware. The researchers found that infections were successful on every single one of the models tested, and that on some of the models, multiple infections had been successful.
“It’s very concerning that expensive Android devices have such a short shelf life before they lose security support,” Kate Bevan, computing editor at Which? says. According to her, this effectively leaves “millions of users at risk of serious consequences if they fall victim to hackers.”
“Google and phone manufacturers need to be upfront about security updates,” Bevan continues, “with clear information about how long they will last and what customers should do when they run out.”
Which? went on to caution that there ought to be greater transparency around the duration in which security updates for smart devices can be expected to last on Android devices, so that consumers are able to make more informed decisions when choosing a mobile phone.
The consumer watchdog also believes that customers should be better informed about what their options are once security updates are no longer available, and furthermore that concerns should be addressed about the environmental implication of designing mobile phones that are only intended for around three years of use, or less.
Safety without security updates
Due to the large volume of Android devices that is still in use around the world while being no longer able to receive security updates, users of these devices are advised by Which? to pay close attention to the following four guidelines:
1. Stick to the Google Play Store for apps: A majority of security threats from apps come from outside the Play Store. If an app is downloaded from somewhere other than the Play Store, careful attention should be paid to whether or not it is an official and legitimate program by manually reenabling the ‘Unknown Sources’ block in the Android settings. (This is a safety feature that is taken care of automatically in newer Android versions).
2. Beware of phishing via SMS: In addition to phishing attempts taking place over email, similar attacks can also arrive via SMS or MMS, designed to take advantage of the weak points left behind from a lack of security updates. Special caution should be paid to links sent from out outside one’s contact list.
3. Make frequent backups: A good rule of thumb, Which? advises, is to make sure all data is backed up and stored in least two places, e.g. on both a hard drive and on the cloud service.
4. Install an antivirus: Running antivirus software can add further protection onto the phone and is highly advised. However, the older the version of the operating system being run by Android devices, the fewer are the options that are generally available to users.