Newsletter
Google often receives criticism for its system update limit, but a new study says that one billion Android phones and tablets are at risk of malware.
One billion Android phones and tablets at risk of malware
The study, conducted by consumer watchdog Which?, says that one billion Android devices running Android 6.0 Marshmallow or earlier (5.0 Lollipop, 4.4 KitKat, 4.3 Jelly Bean, 4.0 Ice Cream Sandwich, etc.) are vulnerable to malware and software infections. These devices are no longer receiving security updates. Thus, they are easy to infect with malware. Which? discovered that these devices are vulnerable to malware. The watchdog company infected the aging mobile devices with Joker malware (Bread) as well as Bluetooth vulnerability Bluefrag.
The sheer number of devices explains why Which? finds this security report troubling for Android. And yet, that’s not all there is to the story.
One billion Android devices phones and tablets with malware: troubling number, sobering facts
To make sense of the security report, one must understand that Android devices have a standard update schedule. They receive 2 years of system updates (say, from Android Pie to Android 10, for example) and 3 years of security patches. Security patches remain an additional year after system updates are over. This means that phones that are running Android 8.0 Oreo are done with system updates and have perhaps a year of security patches left.
Devices running Android 6.0 Marshmallow and earlier are over 5 years old and are ineligible for any future updates. This is, of course, according to current Android device update rules.
Devices without security and system updates will start to become vulnerable to viruses, malware, and other mobile attacks. Like cars that no longer get tune-ups, mobile devices without updates stop working effectively over time.
Transparency and Android: it’s somewhat complicated
Some critics say that Google must create greater transparency and buyer awareness about device updates. Anyone that asks carriers about their device will receive the same answer as that given above: 2 years of system updates, 3 years of security patches. There’s nothing deceptive about this.
When it comes to Android devices, OEMs are given free rein over product support. An Android OEM, say, Samsung, can support an entry-level phone such as the Galaxy A20 or A10e for a year and then cease updating it. Samsung could choose, surprisingly, to update an entry-level device beyond the 12-month mark if it so chooses.
Thus, the “2-year system, 3-year security” update rule applies in many cases exclusively to flagships. And even in the case of flagships, there are no guarantees. A flagship that doesn’t sell well can be excluded from the next system update. Samsung can essentially not update a new device without Google rebuke.
In short, there is an update rule in Android, but OEMs can fulfill it or not on any device. It all depends on manufacturer whim. This doesn’t discount the fact that Android flagships come with hardware limitations that, unfortunately, exclude them from updates by default.
Studies call for Google to set mandatory rule, make OEMs accountable
Understanding the update rule and OEM prerogative and agreeing with them are two different things. The rub in Android comes with accepting the standard update rule. Many buyers are calling for extensions to the current update schedule. To them, Google should mandate 3 years of system updates and 4 years of security patches for every Android device.
Perhaps update extensions across the board are a good thing. And yet, what many overlook is whether or not Google’s Android agreement includes update prerogative. Google may give OEMs prerogative over product support decisions.
Google can mandate OEMs, however. After all, Google did give its first-gen. Pixel and Pixel XL the Android 10 update (in effect, 3 years of system updates as opposed to the 2-year norm). It’s not as if Google isn’t aware that it can change the rule. Mandating such a rule, however, may alienate Android OEMs to the point where some abandon Android altogether.
Even in the current political war between the US and China, Google is currently trying to bring Huawei back to the Android OEM fold. The reason comes down to the fact that Google is losing money and data because Huawei’s latest devices are not running Google Play apps and services. Huawei is losing out, but Google is, too. Huawei threatened to take 800 million users from Android. Whatever the number, it must be astronomical for Google to want Huawei back in Android again, whether a national security threat or not.