Void Android: More than one billion Android devices at risk of hacking attacks

More than one billion Android devices around the world are vulnerable to attack by hackers because they are no longer supported by security updates and built-in protection, new research by Which? has found.

The consumer champion crunched Google data, which shows a staggering two in five (40%) Android users worldwide are no longer receiving vital security updates from Google, potentially putting them at risk of data theft, ransom demands and a range of other malware attacks that could leave them facing bills for hundreds of pounds.

The findings come as Which? adds warnings to its reviews of potentially affected smartphones – which are not necessarily old models and are still available to buy through online marketplaces – so consumers are aware of the risk.

Which? experts took a selection of affected phones and tablets into its labs, including handsets still available to buy from online marketplaces such as Amazon, and found they could easily be hit by a range of malware and other threats.

Researchers tested a range of phones including models from Motorola, Samsung, Sony and LG/Google and found vulnerability to hacks including enabling personal information to be stolen, a hacker to take complete control over the phone or large bills for services that the phone owner hasn’t used themselves.

Recently out-of-support devices won’t immediately have problems, but without security updates, the risk to the user of being hacked goes up exponentially. Generally speaking, the older the phone, the greater the risk.

Anyone using an Android phone released around 2012 or earlier – including popular models like the Samsung Galaxy S3 and Sony Xperia S, should be especially concerned, since it’s likely they will be running a version of Android that does not include various security enhancements Google has been rolling out since.

Google declined to respond when Which? asked for data on how many UK users are likely to be affected. But the consumer champion estimates there could potentially be millions of old unsupported Android devices still in use in the UK.

Which? shared its findings with Google but the tech giant’s response failed to provide reassurance that it has plans in place to help users whose devices are no longer supported.

Which? is calling for far more transparency around how long updates for smart devices will be provided so consumers can make informed buying decisions. The industry must also do a better job of giving support and guidance to customers about their options once security updates are no longer available.

Proposed legislation for mandatory security requirements – putting the onus on manufacturers to provide clear information about how long security updates will be provided for – and strong enforcement for manufacturers, retailers and online marketplaces that fall short are essential to tackle the growing problem of digital obsolescence.

Which? believes Google and other manufacturers also have questions to answer about the environmental impact of phones that can only be supported for three years or less – meaning consumers frequently need to fork out hundreds of pounds to replace them, while old phones end up piled up in landfill.

Kate Bevan, Which? Computing editor, said:

“It’s very concerning that expensive Android devices have such a short shelf life before they lose security support – leaving millions of users at risk of serious consequences if they fall victim to hackers.

“Google and phone manufacturers need to be upfront about security updates – with clear information about how long they will last and what customers should do when they run out.

“The government must also push ahead with planned legislation to ensure manufacturers are far more transparent about security updates for smart devices – and their impact on consumers.”

Which? tips

My Android phone is working fine, so why should I ditch it?

If your Android device is more than two years old, check if it can be updated to a newer version of Android. Open your phone or tablet Settings app, then tap System > Advanced > System update. You can then see your Android version.

If you are on a version before Android 7.0 Nougat, try to update your system. Still in the System update section, follow the instructions to run the update.

If you can’t update to a newer version, you’ll need to consider that there will be an increased risk of using your device going forwards – especially if you are running a version of Android 4 or lower.

What should I do if my mobile phone is no longer updated?

The older the phone, the greater the risk. Anyone with a smartphone that runs Android 4 or earlier should seriously consider whether it’s worth the risk to their data and privacy to continue using the device. However, there is an increased risk to any device that is no longer being supported by security updates. If you are still using such a phone, carefully consider the following advice until you upgrade.

1. Be careful what you download: The majority of threats come from downloading apps from outside the Google Play store, so be very wary of that. If you do sideload an app, check carefully that it is official and always manually re-enable the ‘unknown sources’ block in your Android settings after you’re finished. This is done automatically in newer Android versions.

2. Watch what you click on: As well as traditional phishing threats that might arrive via email, variations on these threats can be sent to a phone via SMS or MMS messages to take advantage of vulnerabilities found on some older versions of Android. Be very wary of clicking on any links that look suspicious, especially if they are from senders you’re not familiar with.

3. Back up your data: Make sure all your data is backed up in at least two places (a hard drive and a cloud service). If something goes wrong and you do get infected, this will help to ensure you won’t lose access to anything vital.

4. Get mobile antivirus: There are a range of additional apps that can provide some protection for your older Android device against security threats. Bear in mind, though, that the choice might be limited for really old Android builds. We could barely find any reputable services for the Sony Xperia Z2 running Android 4.4.

Which? advice guide for people who are using phones that no longer receive security updates: https://www.which.co.uk/reviews/mobile-phones/article/mobile-phone-security-is-it-safe-to-use-an-old-phone

Notes to editors

  • The current software version is Android 10 while Android 9 (aka Android Pie) and Android 8 (Android Oreo) are still in theory getting security updates too. Using anything below Android 8 will carry security risks.
  • Based on Google’s own data from May 2019 (we asked Google for more up-to-date data but it did not respond), 42.1% of Android active users worldwide are on version 6.0 or earlier: Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012), Ice Cream Sandwich (2011) and Gingerbread (2010).

    According to the Android Security Bulletin, there were no security patches issued for the Android system in 2019 that targeted Android versions below 7.0 Nougat.

    That means more than 1bn phones and tablets were active around the world that no longer received security updates. We asked Google for UK data but again it declined to respond. However, we estimate there could be millions of old Android devices still in use in the UK.

  • In January 2020, Which? purchased a Motorola X, Samsung Galaxy A5 2017 and the Sony Xperia Z2 from Amazon Marketplace sellers. We also had existing LG/Google Nexus 5 and Samsung Galaxy S6 smartphones in our test lab.

    All these phones were at least three years old and could only get to Android 7.0, apart from the Samsung Galaxy A5 (2017), which could make it to Android 8.0.

    We tasked expert antivirus lab, AV Comparatives, to try to infect them with malware, and it managed it on every phone, including multiple infections on some.

  • Researchers bought Motorola X, Samsung Galaxy A5 2017, Sony Xperia Z2 from Amazon Marketplace sellers and tested them in the lab along with previously purchased LG/Google Nexus 5 and Samsung Galaxy S6 smartphones. All could be infected by malware at least once, while some models could be infected multiple times.

    The Sony Xperia Z2 was found to leave victims exposed to Stagefright – a devastating attack that can enable a hacker to take complete control over the phone, in order to steal data or charge a ransom to regain access.

    The Sony Xperia Z2 phone was on an older version of Android, 4.4.2 KitKat, and the exploit works by sending music or video files to the victims via MMS or snags them via a phishing website.

    All of the phones in the tests were infected successfully by Joker, also known as Bread. Hackers using this malware, which has been around since 2017, slip it into apps for sale on the Google Play store. Last year Google removed 1,700 apps infected with Joker.

    Joker tricks people into downloading what they think is a legitimate app. If consumers agree to all the permissions, it automatically registers them for a premium rate service that adds charges to users’ phone bills. If that were not enough, it also steals contact details to enable it to target other users.

    Every single device tested was also infected with Bluefrag, a critical vulnerability that focuses on the Bluetooth component of Android. An attacker needs to be within Bluetooth range, such as in a cafe, and then they can silently hack the phone. Once done, they can steal personal information and also use the device to spread the malware elsewhere. Google issued a fix to Bluefrag in newer Android devices in February 2020.

  • Which? incorporates information about devices that no longer receive security updates into its reviews, so consumers can make informed decisions about products that could potentially pose security risks.

Press Release