Millions of Android devices vulnerable to hacking

Two in five Android users across the world - totalling over one billion devices worldwide - may not be receiving updates needed for protection against hackers.

According to Android's security bulletin, there were no security patches issued in 2019 for Android versions below 7.0 (Nougat).

Security watchdog Which? highlighted this in a new report, saying that users of Android 6.0 (Marshmallow) and below - over 40% of users worldwide - are at risk of virus attacks on their devices.

Although Google didn't respond to Which? requests for UK-specific information, the watchdog estimates that millions of phones in the country could still be running insecure versions of Android.

Who's at risk?

At-risk devices could include phones and tablets still available to buy.

In fact, Which? tested five phones they bought from Amazon Marketplace sellers. These included devices that ran on 7.0 and 8.0 (Oreo). The watchdog, along with antivirus experts AV Comparatives, was able to infect all five with different kinds of malware.

What kinds of malware?

AV Comparatives used three types of malware in their tests:

• BlueFrag, which attacks phones via Bluetooth and steals data
• Joker, which tricks users into downloading a fake app on Google Play store and automatically charges them for premium-rate services
• Stagefright, which works via MMS or a phishing website and gains complete control over the phone. (Only the phone still running 4.2.2 - KitKat - was infected by this.)

Android updates

This isn't the first time that we've written about Android security issues, but things are improving - at least for those on the latest versions of the OS.

Google started their Android 10 rollout in September 2019. It includes safeguarding tools to reduce the risk of malicious apps being installed, as well as improvements in encryption and data protection.

Google are also working on two projects that might address security concerns: Project Treble, which should make it easier for phone manufacturers to update Android quickly; and Project Mainline, which is designed to allow users to get security updates from the Google Play Store, in the same way as they get app updates. That means users with automatic updates shouldn't have to take any action to get the latest security patches.

Huawei users may still be nervous about Android security since last year's US ruling downgraded their versions of the OS to open source - meaning they don't get Google Play Services or hear about patches and upgrades ahead of time. Huawei devices will still get Android 10, but the core services are still missing - so extra care should be taken to upgrade when necessary.

Is my phone at risk from hackers?

Check to see what version of Android the device is using:

1. Open Settings
2. Tap System
3. Tap Advanced
4. Tap System update

The Android version should then be displayed. If an update is available, it's usually a good idea to go ahead right away - and if the version is lower than 7.0, it's particularly important to update (instructions to update should be on-screen in the same section).

Find a tutorial for your device on Google's support site.

If updating to 7.0 or above is impossible, it might be time to consider a new device. If that's not currently within budget, take extra care with security.

How to protect against phone hacks

No matter the phone or operating system, it's important to follow security guidelines. Although 'cybersecurity fatigue' can mean constant vigilance seems exhausting, the consequences of hacks can be stressful and costly. Be careful of which apps you download, what you click on in emails and texts,

Take particular care when downloading and using apps that deal with money (read our guide to ensuring your mobile banking app is safe).

When changing devices, research the most secure smartphone or tablet. Apple's iOS usually beats Android for timely security patches and updates - so those concerned about security might bear that in mind when choosing a new device.