More than one billion Android devices around the world are no longer supported by security updates, leaving them potentially vulnerable to attack.
Consumer watchdog Which? has calculated that two in five Android devices are no longer receiving vital security updates from Google, putting them at greater risk of malware or other security flaws.
Android 10 (which lacks a confectionery themed code name) is the most recent version, and while it and its predecessors Android 9 (Pie) and 8 (Oreo) are still in getting security updates, using anything below Android 8 "will carry security risks," Which? said.
Based on Google's own data from last year, around 40% of Android active users worldwide are on version 6.0 or earlier: Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012), Ice Cream Sandwich (2011) and Gingerbread (2010). According to the Android Security Bulletin, there were no security patches issued for the Android system in 2019 that targeted Android versions below 7.0 (Nougat).
SEE: IT pro's guide to the evolution and impact of 5G technology (free PDF)
"That means more than one billion phones and tablets were active around the world that no longer received security updates," said Which?
Which? also bought a number of three-year-old Android devices, most of which could only run Android 7.0. Security experts engaged by the consumer body were able to infect all of them with malware, including multiple infections on some.
All of the phones in the tests were infected successfully by Joker – also known as Bread – malware. Every single device tested was also infected with Bluefrag, a critical vulnerability that focuses on the Bluetooth component of Android.
Which? said there should be greater transparency around how long updates for smart devices will be provided so that consumers can make informed buying decisions, and that customers should get better information about their options once security updates are no longer available. The watchdog also said that smartphone makers have questions to answer about the environmental impact of phones that can only be supported for three years or less.
Google told ZDNet: "We're dedicated to improving security for Android devices every day. We provide security updates with bug fixes and other protections every month, and continually work with hardware and carrier partners to ensure that Android users have a fast, safe experience with their devices."
When operating systems and security updates are delivered varies depending on the device, manufacturer and mobile operator. Because smartphone makers will tweak bits of the Android operating system, they often deploy patches and updates at a slower pace than Google does on its own devices, or not at all.
SEE: Google to Samsung: Stop messing with Linux kernel code. It's hurting Android security
Google's Pixel phones get Android version updates and security updates for at least three years from when the device first became available on the Google Store.
While consumers are holding onto devices longer now, the average user will replace a handset after around three years. Operating systems for other devices – like PCs – are supported for much longer. Windows 7, for example, was launched in 2009 but only finally went out of support earlier this year.