A billion Android phones are vulnerable to hackers — make sure yours isn't one

Google Pixel 4 is one of several Android phones that gets regular security updates
(Image credit: Tom's Guide)

British consumer-watchdog group Which? made some headlines last week when it declared that "more than one billion Android devices ... are vulnerable to attack by hackers." 

At least one tech-news website replied, "Duh." That's because Which?'s revelation is old news and well known to anyone who understands the smartphone lifecycle. It's also why you need to replace your Android smartphone or tablet every 3 years, and your iPhone or iPad every 5 years.

What to know about phone updates

Gadgets get old quickly. Google releases a new version of Android every year and makes security updates only for that version and the two previous ones. 

Which? said that "Google has whipped through Android versions like a hungry child set loose on the dessert trolley," but in fact Apple does the same and supports only the latest two versions of iOS.

The difference is that while Apple makes sure each iPhone model can get OS updates for 5 years (and a few models have lasted longer), Google guarantees only 3 years of security updates -- and that's just for Google's own Pixel phones and third-party phones in the Android One program

For other Android phones and devices, security updates could run out in as little as 18 months. (Keep this in mind when considering an Android TV or a car with an Android-based infotainment system.) That's not entirely Google's fault; you can place more of the blame on device manufacturers who want to lock customers into a rapid-upgrade cycle.

Know your phone's security limits

So if you have an Android phone that's more than 3 years old, and it can't be updated to Android 8 Oreo or later, leave it at home and get a new phone to take out into the world. If your iPhone is more than 5 years old and can't be updated to iOS 13, do the same.

When you get a new Android phone, make sure it's one that gets security updates in a timely manner. Google's Pixel phones and third party Android One phones are best, because they'll get updates within a week or two after the update's release. 

Other phones' updates depend on the manufacturer, and it's not clear which do best at updating phones. One study by Android Authority in early 2019 had Sony and OnePlus as the best at distributing updates, but Counterpoint countered later in 2019 by saying Nokia and Samsung were the update champs.

Whichever model of Android phone you get, you'll want to install one of the best Android antivirus apps, because Google's built-in Google Play Protect security protection is awful. Alternately, you could just get an iPhone and not have to worry for a good 5 years.

Which statistics are correct?

Which? arrived at its headline-making conclusion by looking at a snapshot of Android version market share provided by Google in May 2019. At that time, "42.1% of Android active users worldwide [were] on version 6.0 or earlier." 

At the time, only Android 9 Pie, Android 8 Oreo and Android 7 Nougat were getting updates. The "billion" number assumes that there are 2.5 billion actively used Android devices, which may or may not be accurate -- let's make it "hundreds of millions." 

Ten months later, the picture is a little better. Google still hasn't updated its market-share dashboard since May, but a couple of third-party statistical services provide more up-to-date numbers.

AppBrain culls data from "over 100 million monthly users" running apps that use AppBrain's code. It estimated that on Feb. 29, 2020, 36.8% of Android devices ran Pie, 21.6% ran Oreo and 5% ran the latest version, Android 10

That's 63.4% of live Android devices able to receive updates, or about 36.6% that couldn't. About 12.8% of Android phones in AppBrain's survey ran Nougat, but that version of Android stopped being updated once Android 10 was released in September 2019.

Statcounter gathers data from "more than 2 million websites" which tally which operating systems their visitors use. It reckons that in February 2020, 41.4% of Android users ran Pie, 20.2% Oreo and 7.3% Android 10, for a total of 68.9% of devices able to get security updates. (Nougat's share was 6.7%, half of AppBrain's estimation.)

The picture still isn't great

Still, even this rosiest of possible pictures leaves nearly one-third of active Android devices unable to receive security updates. It's the users of those devices who are mostly likely to fall prey to scammers, hackers and rogue apps.

So avoid being one of those victims-in-waiting. Either get an iPhone, or get one of the Android models -- a Google Pixel or an Android One phone -- that will be guaranteed to get security updates for three years.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.