TORONTO -- More than a billion Android devices are at risk of being hacked because they are no longer protected by security updates, according to a consumer watchdog.

Researchers at Which? magazine found 40 per cent of Android users worldwide are no longer receiving security updates from the Google operating system, putting them at risk of data theft, ransom demands and malware attacks.

Experts at the British publication took a selection of phones and tablets and found they could easily be hacked.

“Researchers tested a range of phones including models from Motorola, Samsung, Sony and LG/Google and found vulnerability to hacks including enabling personal information to be stolen, a hacker to take complete control over the phone or large bills for services that the phone owner hasn’t used themselves,” Which? wrote in a press release March 6.

“Recently out-of-support devices won’t immediately have problems, but without security updates, the risk to the user of being hacked goes up exponentially. Generally speaking, the older the phone, the greater the risk.”

Anyone using an Android phone released around 2012 or earlier should be especially concerned, Which? said.

Which? shared its findings with Google, but it said the tech giant’s response “failed to provide reassurance that it has plans in place to help users whose devices are no longer supported.”

The consumer magazine called for more transparency around how long updates for smart devices will be provided so consumers can make “informed buying decisions.”

“It’s very concerning that expensive Android devices have such a short shelf life before they lose security support – leaving millions of users at risk of serious consequences if they fall victim to hackers,” said Which? computing editor Kate Bevan.

“Google and phone manufacturers need to be upfront about security updates – with clear information about how long they will last and what customers should do when they run out.”

For its test Which? asked antivirus lab AV Comparatives to try to infect five test phones with malware: a Motorola X, a Samsung Galaxy A5, a Sony Experia Z2, a LG/Google Nexus 5 and a Samsung Galaxy S6. It succeeded on every phone, including multiple infections on some.

Which? added that Google and other manufacturers have questions to answer about the environmental impact of phones that can only be supported for three years or less.

What to do if your phone is at risk

The magazine also provided tips on updating an Android device to a newer version of the operating system.

To see which version of Android a device is using, open the phone’s settings app, tap system, then advanced and then system update.

It recommended users on anything older than Android 7.0 Nougat update their phone or tablet through the system update menu.

Smartphone users unable to update their version of Android will be at an increased risk of a hack, Which? said, especially if running Android 4 or lower.

The current version is Android 10 while Android 9 (Android Pie) and Android 8 (Android Oreo) are still getting security updates, Which? said, and anything below Android 8 will carry security risks.

If a phone can no longer get Android updates, Which? provided advice on how to protect a phone’s valuable data.

“The majority of threats come from downloading apps from outside the Google Play store, so be very wary of that,” it said.

Which? urged smartphone users to be wary of suspicious SMS or MMS messages and to back up their data in at least two places, a hard drive and a cloud service.

“There are a range of additional apps that can provide some protection for your older Android device against security threats,” Which? said.

“Bear in mind, though, that the choice might be limited for really old Android builds.”