How long do Android smartphones and tablets continue to receive security updates after purchase?
The slightly shocking answer is barely two years old, and that assumes that you bought the handset when it was first released. Even Google’s Pixel devices are no more than three years old.
Several million users hang onto their Android devices for much longer, raising questions about their continued security as the number of serious vulnerabilities continues to rise.
Add all the Android handsets that are no longer updated and you get big numbers – according to the Google Developer Dashboard last May, almost 40% of Android users are still using handsets running versions 5.0 to 7.0, which have not been updated between one and four years. One in ten is running something even older than that, which is equivalent to a billion devices.
The point is brought to light by new tests by consumer group Which?, Discovering that it was possible to infect older popular handsets running mainly on Android 7.0 – the Motorola X, the Samsung Galaxy A5, the Sony Xperia Z2 , the Google Nexus 5 (LG) and the Samsung Galaxy S6 – with mobile malware.
All of the above were vulnerable to a recently discovered Bluetooth flaw known as BlueFrag and the Joker malware strain of 2017. The older the device, the more easily it could be infected – the Sony Xperia Z2 , running Android 4.4.2, was vulnerable to the StageFright flaw as of 2015.
Google recently had to remove 1,700 apps containing Joker (aka Bread) from its Play Store, only the last of an increasingly desperate rearguard action against malware hosted under its nose.
It’s not just that these devices don’t receive security patches, but older models also lack a set of security and privacy enhancements that Google added to versions 9 and 10.
Kate Bevan, which one? IT publisher (and formerly of Naked Security) said:
It is very concerning that expensive Android devices have such a short lifespan before losing security – leaving millions of users at risk of serious consequences if they become victims of hackers.
Bevan raised the interesting point that the idea that a device can only get updates for two years will come as news for most Android users:
Google and the phone manufacturers need to be frank about security updates, with clear information about how long they will last and what customers should do when they miss.
Google released the same response to multiple media in response to the report:
We are committed to improving the security of Android devices every day.
We provide security updates with bug fixes and other protections every month, and work continuously with hardware and carrier partners to ensure Android users have a fast and secure experience with their devices.
In truth, users are caught between two forces. On the one hand, Google is determined to drive the evolution of Android for competitive reasons, by publishing a new version every year.
On the other hand, the manufacturers, eager to keep people up to date with new models under the pretext that the older ones will not run these updated versions (which is not always true).
Security is somewhere in between, and despite Google’s reform attempts in recent years to have security patches occur on a monthly cycle, the reality is far from that ideal.
Eventually, there comes a time to throw away an old device, but for most users, it will last more than two years.
To point the finger at the flaws, the Android security bulletin of March 2020 fixed a MediaTek flaw, CVE-2020-0069, which has been actively exploited in the wild for several months.
And yet MediaTek thinks there was a patch for the flaw last May, but the device manufacturers didn’t apply it. Even now that it is checked in the Google update, it can take months to infiltrate devices because the updates happen so slowly. And it is a fault known to be exploited in the wild.
Android users can check their version of Android and get security updates by following these tips from Google.