More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research

File this one under "well, duh." Consumer mag Which? today published research estimating that over a billion Android devices are vulnerable to hackers and malware as they are not receiving security updates.

Data obtained from Google by the publication found that 42.1 per cent of active Android users are languishing on version 6.0 or earlier.

The most current version of Android is version 10, while Android 9.0 Pie and Android 8.0 Oreo continue to receive updates. The Chocolate Factory is expected to release a major update to the world's most popular mobile operating system, Android 11, later this year.

Anything below Android 8.0, therefore, is vulnerable. Extrapolating from the data, Which? believes that almost one billion Android phones are inherently vulnerable.

Compounding the problem is the proliferation of older devices on sites like Amazon, where they're sold by third parties. The mag bought a handful of phones – including the Motorola X, Sony Xperia Z2, and Samsung Galaxy A5 2017 – and found they were susceptible to a host of long-discovered vulnerabilities, including Stagefright, Bluefrag and the Joker Android malware.

Which? is encouraging those with older phones who can't update to take sensible precautions – such as avoiding side-loaded apps and ensuring their data is backed up.

Of course, there's no silver bullet. The mere existence of a patch doesn't necessarily mean that manufacturers will actually send them downstream to devices in a timely way – or, indeed, at all.

Google makes a point of delivering monthly security updates to its Pixel phones. Besides that, there are also phones released under the Android One programme, which ensures devices receive at least three years' worth of security updates, as well as two OS upgrades.

Nokia is perhaps the best example of a vendor that's jumped on the Android One bandwagon. It's therefore no surprise that last August, Counterpoint Research ranked it as the top manufacturer for providing device updates, with 96 per cent of devices sold since Q3 2018 on the latest and greatest version of Android.

Following close behind was Samsung and Xiaomi, which had 89 and 84 per cent of their users on the latest version respectively.

Ultimately, this issue is down to the fact that Android has always been utterly fragmented. From its inception, Google has allowed vendors to have almost free rein. This contrasts wildly to Apple, which is known for exercising tight control of its iPhone platform.

And while Google's approach has allowed a broad sense of differentiation in the smartphone market, it's come with a cost to consumers.

Manufacturers can determine the life cycle of a phone, and how long it should receive updates. The fewer updates, the less they have to spend in terms of people hours.

Which? is calling for manufacturers to exercise greater transparency and explicitly outline how long their devices will receive critical software updates.

In a statement, Kate Bevan, Computing Editor at Which?, said: "It's very concerning that expensive Android devices have such a short shelf life before they lose security support – leaving millions of users at risk of serious consequences if they fall victim to hackers.

"Google and phone manufacturers need to be upfront about security updates – with clear information about how long they will last and what customers should do when they run out."

Which? also wants action on a legislative level to ensure that there's a benchmark for how long a device will receive updates – although it didn't specify how long.

"The government must also push ahead with planned legislation to ensure manufacturers are far more transparent about security updates for smart devices – and their impact on consumers," said Bevan. ®