How long do Android smartphones and tablets continue to receive security updates after they’re purchased?
The slightly shocking answer is barely two years, and that’s assuming you bought the handset when it was first released. Even Google’s own Pixel devices max out at three years.
Many millions of users hang on to their Android devices for much longer, which raises questions about their ongoing security as the number of serious vulnerabilities continues to grow.
Add up all the Android handsets no longer being updated and you get big numbers – according to Google’s developer dashboard last May, almost 40% of Android users still use handsets running versions 5.0 to version 7.0, which haven’t been updated for between one and four years. One in ten run something even older than that, equivalent to one billion devices.
The point is brought home by new testing from consumer group Which?, discovering that it was possible to infect popular older handsets mainly running Android 7.0 – the Motorola X, Samsung Galaxy A5, Sony Xperia Z2, Google Nexus 5 (LG), and the Samsung Galaxy S6 – with mobile malware.
All of the above were vulnerable to a recently discovered Bluetooth flaw known as BlueFrag, and to the Joker strain of malware from 2017. The older the device, the more easily it could be infected – Sony’s Xperia Z2, running Android 4.4.2, was vulnerable to the StageFright flaw from 2015.
Google recently had to remove 1,700 apps containing Joker (aka Bread) from its Play Store, only the latest in an increasingly desperate rearguard action against malware being hosted under its nose.
It’s not simply that these devices aren’t getting security fixes but older models also miss out on a bundle of security and privacy enhancements that Google has added to versions 9 and 10.
Kate Bevan, Which? Computing editor (and formerly of Naked Security), said:
It’s very concerning that expensive Android devices have such a short shelf life before they lose security support – leaving millions of users at risk of serious consequences if they fall victim to hackers.
Bevan raised the interesting point that the idea that a device might only get updates for two years will come as news to most Android users:
Google and phone manufacturers need to be upfront about security updates, with clear information about how long they will last and what customers should do when they run out.
Google has issued the same response to several media outlets in response to the report:
We’re dedicated to improving security for Android devices every day.
We provide security updates with bug fixes and other protections every month, and continually work with hardware and carrier partners to ensure that Android users have a fast, safe experience with their devices.
In truth, users are being squeezed between two forces. On the one hand, Google is determined to drive the evolution of Android for competitive reasons, releasing a new version every year.
On the other are manufacturers, eager to keep people upgrading to new models on the pretext that the older ones won’t run these updated versions (which is not always true).
Security sits somewhere between the two, and despite attempted reforms by Google in recent years to make security fixes happen on a monthly cycle, the reality is some way from that ideal.
Eventually, there comes a time to discard an old device, but for most users that will be longer than two years.
To ram home the point about flaws, the March 2020 Android security bulletin patched a MediaTek flaw, CVE-2020-0069, which has being actively exploited in the wild for several months.
And yet MediaTek thinks it had a fix for the flaw last May, but device makers didn’t apply it. Even now that it’s namechecked in Google’s update, it could take months to percolate through to devices because updates happen so slowly. And this is a flaw known to be exploited in the wild.
Android users can check their Android version and get security updates by following this advice from Google.