One billion Android devices vulnerable to hacking attacks

Using Google data, the consumer group found that around two in five (40 per cent) Android users worldwide are no longer receiving vital security updates from Google, potentially putting them at risk of data theft, ransom demands and a range of other malware attacks that could leave them facing bills for hundreds of pounds.

The open source nature of Android has led many different manufacturers to develop their own, tweaked versions of the operating system that all need to be developed separately from Google’s base versions.

This has led to a fractured market where some manufacturers are more diligent about ensuring that their customers receive the latest features and security updates while others are less reliable.

Which? said that the affected devices are “not necessarily” old models and are still available to buy through online marketplaces.

Its researchers took a selection of affected phones and tablets into its labs, including handsets still available to buy from online marketplaces such as Amazon, and found they could easily be hit by a range of malware and other threats.

Researchers tested a range of phones including models from Motorola, Samsung, Sony and LG/Google and found vulnerability to hacks including enabling personal information to be stolen; a hacker to take complete control over the phone, or being hit with large bills for services that the phone owner hasn’t themselves used.

In 2015, Google started releasing security updates for Android on a monthly basis that are separate from 'full-fat' new versions of the operating system that come with new features.

Many of the major OEMs typically provide feature updates for their devices for around two years after their original release, with longer support for security patches. Once the devices stop receiving the patches, they are left vulnerable to any flaws found in the Android OS from that point on.

Which? said that anyone using an Android phone released around 2012 or earlier – including popular models like the Samsung Galaxy S3 and Sony Xperia S - should be especially concerned, since it’s likely that they will be running a version of Android that does not include the various security enhancements which Google has been rolling out since then.

Which? said that legislation for mandatory security requirements should be introduced that would put the onus on manufacturers to provide clear information about the length of time for which security updates will be provided.

According to Google's own figures from 2019, there are more than 2.5 billion active Android devices in the world.

With Apple’s iOS only being available on iPhone handsets, these devices typically receive both security and feature updates for several years after Android manufacturers have abandoned their older models.

The more open nature of the Android operating system also allows users to ‘sideload’ their own apps, which can provide another vector for attackers given that Google is not scanning these for security vulnerabilities.

Which? computing editor Kate Bevan argued that consumers should be able to rely on longer periods of support for their mobile devices.

“It’s very concerning that expensive Android devices have such a short shelf life before they lose security support, leaving millions of users at risk of serious consequences if they fall victim to hackers,” she said.

“Google and phone manufacturers need to be upfront about security updates, with clear information about how long they will last and what customers should do when they run out.

“The Government must also push ahead with planned legislation to ensure manufacturers are far more transparent about security updates for smart devices and their impact on consumers.”

Previous studies have indicated that smartphone owners in Europe and the US are holding onto their devices for longer, with smaller steps in innovation each year and the rising price of smartphones cited as key reasons for not upgrading more regularly.