Industry News

Over one billion Android devices at risk as they no longer receive security updates

Over one billion Android devices at risk as they no longer receive security updates

More than one billion Android devices are at risk of being hacked or infected by malware, because they are no longer supported by security updates and built-in protection.

That’s the conclusion of an investigation by Which?, which found that at-risk smartphones are still being sold by third-parties via sites like Amazon, despite the range of malware and other threats to which they are vulnerable.

The report cites data that Google collected itself in May 2019, which discovered that 42.1% of active Android users worldwide were running version 6.0 (known as Marshmallow) of the operating system or earlier.

The problem with that picture is that the current version of Android is version 10, released last September. Its immediate predecessors – Android 9.0 Pie and Android 8.0 Oreo – continue to receive updates, but earlier versions do not.

To demonstrate the problem, Which? purchased a Motorola X, Samsung Galaxy A5 2017 and Sony Xperia Z2 from Amazon Marketplace sellers and put them to the test alongside an LG/Google Nexus 5 and Samsung Galaxy S6 they already had in its test lab.

In tests conducted with experts at AV-Comparatives, it was found that the phones were susceptible to a variety of vulnerabilities made public long ago.

These included:

  • BlueFrag – a critical vulnerability in Android’s Bluetooth component that could allow a nearby malicious hacker to compromise a device in order to steal data and spread malware.
  • Stagefright – first discovered in 2015, hackers could exploit unpatched Android devices to to silently and remotely infect them with malware via a boobytrapped MMS message.
  • Joker (also also known as Bread) – malware that poses as a legitimate app in the Google Play store, but registers victims’ devices for premium-rate services and plunders devices’ address books.

Kate Bevan of Which? is calling on phone manufacturers to be more transparent about how long consumers can expect to have their devices supported with critical security updates:

“It’s very concerning that expensive Android devices have such a short shelf life before they lose security support – leaving millions of users at risk of serious consequences if they fall victim to hackers. Google and phone manufacturers need to be upfront about security updates – with clear information about how long they will last and what customers should do when they run out.”

The best thing to do, of course, is for Android users to run a more secure version of the operating system on their smartphones – one that is still receiving security patches.

But, if your older phone isn’t able to be updated, what steps should you take to better secure yourself?

Clearly, regular backups of important data are always a good idea. That’s sensible even if you aren’t worried about having your phone hacked, as a backup could save your bacon if you were to ever accidentally damage your phone or have it stolen.

But also be aware that the majority of malware threats for Android originate outside the official Google Play store. Be wary of side-loading apps from other sources as they may not have been as well vetted.

In addition, always be careful about clicking on suspicious-looking links or opening attachments in SMS or MMS messages if you are not expecting them.

You may also want to consider running a mobile anti-virus product on your device.

If smartphone security doesn’t improve, the only people who are going to smiling about the more than one billion vulnerable Android devices will be the criminals themselves.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.