Which? report warns hundreds of millions of Android phones are now at risk because they are no longer receiving security updates
Security concerns about Android have been raised by consumer champion Which?, after it warned that more than a billion Android devices are at risk of being hacked.
This is because security updates are no longer being rolled out to anyone using an Android phone released in 2012 or earlier.
“Based on Google data, two in five of Android users worldwide may no longer be receiving updates, and while these devices won’t immediately have problems, without security support there is an increased risk to the user,” Which? warned.
Which? Also warned that its “tests have shown how such phones and tablets, including handsets still available to buy from online marketplaces such as Amazon, could be affected by a range of malware and other threats.”
“This could result in personal data being stolen, getting spammed by ads or even signed up to a premium rate phone service,” it added.
The problem stems from the fact that Google’s own data showed 42.1 percent of Android users worldwide are still on version 6.0 of the Android operating system. Some users are even using earlier versions of the mobile OS.
This means that users of Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012), Ice Cream Sandwich (2011) and Gingerbread (2010) are at risk.
Which? pointed to the Android security bulletin, which showed there were no security patches issued for the Android system in 2019 for versions below 7.0 (Nougat).
And the consumer group had some harsh words for Google on the matter.
“Apple typically supports iPhones for around five years, and Microsoft will now continually update Windows 10 for the foreseeable future, having supported previous versions of Windows for up to a decade,” the group said.
“By contrast, Google has whipped through Android versions like a hungry child set loose on the dessert trolley,” it warned. “Generally speaking, the older the phone, the greater the risk. With the Android versions released in the past five years (Android 5.0 to 10.0), Google put more effort into enhancing security and privacy to give the user greater protection, transparency and control over their data. But smartphones can still be an attractive target, and it’s important to be aware of the threat.”
Google apparently declined to respond when Which? asked for data on how many UK users are likely to be affected.
But the group estimate there could potentially be millions of old unsupported Android devices still in use in the UK.
Which? also said that Google failed to provide reassurance that it has plans in place to help users whose devices are no longer supported.
Instead it directed the group towards information on how long its Pixel and Nexus devices will be supported, and advised anyone with another Android device to contact their manufacturer or operator.
Which? said that it then tested a Motorola X, Samsung Galaxy A5 2017, Sony Xperia Z2, as well as a LG/Google Nexus 5 and Samsung Galaxy S6 smartphone.
“All these phones were at least three years old and could only get to Android 7.0, apart from the Samsung Galaxy A5 (2017), which could update to Android 8.0,” the consumer group stated. “We tasked expert antivirus lab, AV Comparatives, to try to infect them with malware, and it managed it on every phone, including multiple infections on some.”
A security expert noted the update problem that Android faces as an operating system that is used by many individual device makers.
“Android device manufacturers, in particular Samsung who is the largest seller, load their devices with tons of features and custom software on top of the default Android,” noted Chris Morales, head of security analytics at Vectra.
“This makes it slow and cumbersome to release software updates in a timely fashion as they have to test those updated against their own custom software,” Morales said. “Android devices end up months behind (if supported at all) after they are released to the market. This makes them easy targets for in the wild and well-known vulnerabilities.”
“Looking at the latest February Android security update, there are 13 disclosed vulnerabilities in Android that are patched,” said Morales. “The most severe vulnerability targeting the Android framework could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions.”
“The most severe vulnerability targeting the Android system could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” said Morales. “Android device manufacturers are notified of security updates a month before they publish.”
“To date, I’m only aware of Google and Essential providing a timely update to this,” said Morales. “Everyone else is still yet to be seen. Most likely OnePlus and Nokia will provide an update next. But as for everyone else, devices can easily go unpatched for months.”
“The March update is right around the corner and most vendors have yet to apply the last round of patches,” he concluded. “It becomes a compound problem as new vulnerabilities are disclosed.”
In April 2018, Germany’s Security Research Labs (SRL) conducted a two-year study into the state of Android security, focused around the monthly updates that Google issues.
The researchers said of the 1,200 smartphones tested, some manufacturers may miss one or two patches from the monthly security updates, but others may miss many more.