Two out of five Android phones around the world are no longer being supported by OEMs with security fixes or support, rendering them vulnerable to cyber attacks and malware infections, a report by consumer advisory firm Which? has revealed.
These unprotected and unsupported Android phones number more than one billion around the world, indicating that the number of Android device users across the world who are vulnerable to malicious cyber operations is extremely high.
Based on data released by Google, Which? found that 42.1% of Android phones presently being used around the world are running on Android version 6.0 or earlier and considering that Google did not release a single security update for devices running Android versions below 7.0 Nougat or earlier in 2019, more than one billion Android phones are presently unprotected from the latest cyber threats.
The firm noted that Google is presently running Project Treble and Project Mainline to make it easier for mobile device manufacturers to update devices to newer Android versions and make important security updates easily accessible from the Google Play store, both these projects are in the earlier stages and there is no fixed timeline announced by OEMs for upgrading older devices, some of which are still being sold on e-commerce websites.
Most Android phone running old OS versions are vulnerable to malware attacks
By running tests on older Android phones such as Motorola X Style, Google Nexus 5, Samsung Galaxy A5 2017, Samsung Galaxy S6 Edge and the Sony Xperia Z2 through antivirus lab AV Comparatives, Which? found that all of them are vulnerable to the Joker malware which tricks users into downloading fake apps and covertly registers them to premium-rate services, and to the Bluefrag exploit that allows hackers to invade devices via Bluetooth and exfiltrate stored data.
"These are worrying finds, and further highlights that mobile devices are untrusted and potentially hostile environments. Although the recent launch of Android 10 introduced updated security features, many consumers aren’t able to access them because their carrier or device manufacturer will not distribute the updated OS," says Will La Sala, Sr. Director of Global Solutions at OneSpan.
"It’s not surprising to see that Google’s own data shows that 42.1% of Android users globally are on version 6 or below. Indeed, 9 months after its release, only 10.4% of Android users had installed version 9.
"For mobile developers, it’s clear that they can’t depend solely on the security of the operating systems or manufacturers’ device to secure their apps. Security features must be baked into the app development process from the start and developers must operate under the assumption that their apps will be installed on and launched on some number of insecure devices.
"Technologies such as application shielding will help applications remain secure even when there are holes in the platform. Application shielding can harden the application by securing the way it is deployed to application stores, and strengthening the way the platform interacts with the application," he adds.
Google cyber hygiene and the use of antivirus solutions can keep Android phones secure
According to Which, Android phone users can keep their devices secure from various cyber threats even if their devices run old and unsupported versions of the Android operating system. The firm advises that users should avoid downloading apps from third-party app stores or websites, should avoid clicking on suspicious links, should back up their data regularly, and should use mobile antivirus solutions at all times.
Carl Wearn, Head of e-crime at Mimecast, says that Android users should update their devices with security measures including a reliable antivirus solution and strict cyber hygiene around the use of online accounts, passwords and applications.
"I would urge all users to review their current use of mobile devices and to be aware of the increasing threat to them in the coming months. Consider installing an AV solution and be aware of your device’s connectability and the enhanced risk of compromise that the use of public wi-fi presents. VPNs can be installed on mobile devices and the use of your device’s own mobile data is preferable given it is encrypted.
"Adding multi-factor or 2 factor-authentication to online accounts is recommended, but these are normally related to trusted mobile phone numbers and so an enhanced risk of compromise to these devices themselves risks rendering this additional security measure ineffective. The security of mobile devices, given their current and rapidly increasing capabilities, will be a key focus in the next few years, both for network and security providers, and criminals," he adds.