More than one billion Android devices around the world are vulnerable to attack by hackers because they are no longer supported by security updates and built-in protection, new research by Which? has found.

Based on Google data, two in five of Android users worldwide may no longer be receiving updates, and while these devices won’t immediately have problems, without security support there is an increased risk to the user.

Our latest tests have shown how such phones and tablets, including handsets still available to buy from online marketplaces such as Amazon, could be affected by a range of malware and other threats. This could result in personal data being stolen, getting spammed by ads or even signed up to a premium rate phone service.

Our smartphone reviews clearly flag when devices are no longer supported, so you can shop with confidence.

Android’s desserts turn sour

Apple typically supports iPhones for around five years, and Microsoft will now continually update Windows 10 for the foreseeable future, having supported previous versions of Windows for up to a decade. By contrast, Google has whipped through Android versions like a hungry child set loose on the dessert trolley.

Generally speaking, the older the phone, the greater the risk. With the Android versions released in the past five years (Android 5.0 to 10.0), Google put more effort into enhancing security and privacy to give the user greater protection, transparency and control over their data. But smartphones can still be an attractive target, and it’s important to be aware of the threat.

Based on Google’s own data from May 2019, 42.1% of Android active users worldwide are on version 6.0 or earlier: Marshmallow (2015), Lollipop (2014), KitKat (2013), Jellybean (2012), Ice Cream Sandwich (2011) and Gingerbread (2010).

According to the Android Security Bulletin, there were no security patches issued for the Android system in 2019 that targeted Android versions below 7.0 Nougat.

That means more than one billion phones and tablets may be active around the world that are no longer receiving security updates.

Google’s plans to combat the threat

Google declined to respond when we asked for data on how many UK users are likely to be affected. But we estimate there could potentially be millions of old unsupported Android devices still in use in the UK.

The tech giant also failed to provide reassurance that it has plans in place to help users whose devices are no longer supported.

Instead it directed us towards information on how long its Pixel and Nexus devices will be supported, and advised anyone with another Android device to contact their manufacturer or operator.

It also highlighted Project Treble, which is designed to make it easier for third-party mobile phone manufacturers to update their devices to newer versions of Android more quickly, and Project Mainline, designed to make important security updates easily accessible from the Google Play store – working in the same way as app updates would usually roll out to a phone. If automatic updates are enabled, this should mean a phone receives these important patches without any action on the part of the user.

However, both these plans are in the early stages, and with phone brands also having to play their part in ensuring updates are not delayed, time will tell whether they are adequate to address concerns around security.

The malware threat to mobile phones

To find out more about the threat of malware to phones first hand, we bought a Motorola X, Samsung Galaxy A5 2017 and the Sony Xperia Z2 from Amazon Marketplace sellers. We also had existing LG/Google Nexus 5 and Samsung Galaxy S6 smartphones in our test lab.

All these phones were at least three years old and could only get to Android 7.0, apart from the Samsung Galaxy A5 (2017), which could update to Android 8.0.

We tasked expert antivirus lab, AV Comparatives, to try to infect them with malware, and it managed it on every phone, including multiple infections on some.

As you can see in the above chart, all the Android phones we used in our test lacked the more modern security features introduced by Google to the latest Android 9.0 or 10.

Most crucially, though, they are no longer receiving updates, also known as patches, that are issued when a new strain of malware, or some kind of exploit, is discovered.

BlueFrag: All the devices could be infected with Bluefrag, a critical vulnerability that focuses on the Bluetooth component of Android. An attacker needs to be within Bluetooth range, such as in a cafe, and then can silently hack the phone to plunder data and use the device to spread malware. Google issued a fix to Bluefrag in newer Android devices in February 2020.

Joker: All the phones were infected by Joker, also known as Bread. This malware, which has been around since 2017, is able to slip into the Google Play store. Joker tricks you into downloading what you think is a legitimate app. If you agree to all the permissions, it automatically registers you for a premium-rate service that adds charges to your phone bill, and pinches your contact details to enable it to target other users.

Stagefright: The Sony Xperia Z2, which is still running Android 4.4.2 KitKat, could also be infected with Stagefright. This exploit sends music or video files to the victims via MMS or snags them via a phishing website. This devastating attack can enable a hacker to take complete control over your phone, to steal data or charge you a ransom to regain access. The other phones were not vulnerable to this.

Cryptomining malware: The impact of a malware infection can be varied. For example, in a previous test we infected an Android smartphone with malware that uses the device to mine for lucrative cryptocurrency. Our test showed a devastating effect on battery life, with the infected Android phone draining its battery 104% faster compared with a normal device.

What should I do if my mobile phone is no longer updated?

If your Android device is more than two years old, check if it can be updated to a newer version of Android. Open your phone or tablet Settings app, then tap System > Advanced > System update. You can then see your Android version.

If you are on a version before Android 7.0 Nougat, try to update your system. Still in the System update section, follow the instructions to run the update. If you can’t update to a newer version, you’ll need to consider that there will be an increased risk of using your device going forwards – especially if you are running a version of Android 4 or lower.

If you are still using such a phone, carefully consider the following advice until you upgrade.

1. Be careful what you download: The majority of threats come from downloading apps from outside the official Google Play store (known as side-loading). If you do this, check carefully that it is official and always manually re-enable the ‘unknown sources’ block in your Android settings after you’re finished (this is done automatically in newer Android versions).

2. Watch what you click on: As well as traditional phishing threats that might arrive via email, variations on these threats can be sent to a phone via SMS or MMS messages to take advantage of vulnerabilities found on some older versions of Android. Be very wary of clicking on any links that look suspicious, especially if they are from senders you’re not familiar with.

3. Back up your data: Make sure all your data is backed up in at least two places (a hard drive and a cloud service). If something goes wrong and you do get infected, this will help to ensure you won’t lose access to anything vital.

4. Get mobile antivirus: There are a range of extra apps that can provide some protection for your older Android device against security threats. Bear in mind that the choice might be limited for really old Android builds. We could barely find any reputable services for the Sony Xperia Z2 running Android 4.4.

If you’re using a phone that’s no longer being updated and are concerned, read our mobile phone security advice to mitigate the risk.