More than one billion Android devices around the world are vulnerable to attack by hackers because they are no longer supported by security updates and built-in protection, new research by Which? has found.
The consumer champion crunched Google data, which shows a staggering two in five (40%) Android users worldwide are no longer receiving vital security updates from Google, potentially putting them at risk of data theft, ransom demands and a range of other malware attacks that could leave them facing bills for hundreds of pounds.
The findings come as Which? adds warnings to its reviews of potentially affected smartphones – which are not necessarily old models and are still available to buy through online marketplaces – so consumers are aware of the risk.
Which? experts took a selection of affected phones and tablets into its labs, including handsets still available to buy from online marketplaces such as Amazon, and found they could easily be hit by a range of malware and other threats.
Researchers tested a range of phones including models from Motorola, Samsung, Sony and LG/Google and found vulnerability to hacks including enabling personal information to be stolen, a hacker to take complete control over the phone or large bills for services that the phone owner hasn’t used themselves.
Recently out-of-support devices won’t immediately have problems, but without security updates, the risk to the user of being hacked goes up exponentially. Generally speaking, the older the phone, the greater the risk.
Anyone using an Android phone released around 2012 or earlier – including popular models like the Samsung Galaxy S3 and Sony Xperia S, should be especially concerned, since it’s likely they will be running a version of Android that does not include various security enhancements Google has been rolling out since.
Google declined to respond when Which? asked for data on how many UK users are likely to be affected. But the consumer champion estimates there could potentially be millions of old unsupported Android devices still in use in the UK.
Which? shared its findings with Google but the tech giant’s response failed to provide reassurance that it has plans in place to help users whose devices are no longer supported.
Which? is calling for far more transparency around how long updates for smart devices will be provided so consumers can make informed buying decisions. The industry must also do a better job of giving support and guidance to customers about their options once security updates are no longer available.
Proposed legislation for mandatory security requirements – putting the onus on manufacturers to provide clear information about how long security updates will be provided for – and strong enforcement for manufacturers, retailers and online marketplaces that fall short are essential to tackle the growing problem of digital obsolescence.
Which? believes Google and other manufacturers also have questions to answer about the environmental impact of phones that can only be supported for three years or less – meaning consumers frequently need to fork out hundreds of pounds to replace them, while old phones end up piled up in landfill.
Kate Bevan, Which? Computing editor, said: “It’s very concerning that expensive Android devices have such a short shelf life before they lose security support – leaving millions of users at risk of serious consequences if they fall victim to hackers.
“Google and phone manufacturers need to be upfront about security updates – with clear information about how long they will last and what customers should do when they run out.
“The government must also push ahead with planned legislation to ensure manufacturers are far more transparent about security updates for smart devices – and their impact on consumers.”
Which? Tips
My Android phone is working fine, so why should I ditch it?
If your Android device is more than two years old, check if it can be updated to a newer version of Android. Open your phone or tablet Settings app, then tap System > Advanced > System update. You can then see your Android version.
If you are on a version before Android 7.0 Nougat, try to update your system. Still in the System update section, follow the instructions to run the update.
If you can’t update to a newer version, you’ll need to consider that there will be an increased risk of using your device going forwards – especially if you are running a version of Android 4 or lower.
What should I do if my mobile phone is no longer updated?
The older the phone, the greater the risk. Anyone with a smartphone that runs Android 4 or earlier should seriously consider whether it’s worth the risk to their data and privacy to continue using the device. However, there is an increased risk to any device that is no longer being supported by security updates. If you are still using such a phone, carefully consider the following advice until you upgrade.
1. Be careful what you download: The majority of threats come from downloading apps from outside the Google Play store, so be very wary of that. If you do sideload an app, check carefully that it is official and always manually re-enable the ‘unknown sources’ block in your Android settings after you’re finished. This is done automatically in newer Android versions.
2. Watch what you click on: As well as traditional phishing threats that might arrive via email, variations on these threats can be sent to a phone via SMS or MMS messages to take advantage of vulnerabilities found on some older versions of Android. Be very wary of clicking on any links that look suspicious, especially if they are from senders you’re not familiar with.
3. Back up your data: Make sure all your data is backed up in at least two places (a hard drive and a cloud service). If something goes wrong and you do get infected, this will help to ensure you won’t lose access to anything vital.
4. Get mobile antivirus: There are a range of additional apps that can provide some protection for your older Android device against security threats. Bear in mind, though, that the choice might be limited for really old Android builds. We could barely find any reputable services for the Sony Xperia Z2 running Android 4.4.
Which? advice guide for people who are using phones that no longer receive security updates: https://www.which.co.uk/reviews/mobile-phones/article/mobile-phone-security-is-it-safe-to-use-an-old-phone