back to article Four hundred MILLION vulnerable Androids are out there

There's still too many unpatched Android devices, Google reckons: to wit, 29 per cent of mobes and tablets running The Chocolate Factory's operating system are running out-of-date code. In among the self-congratulation in Google's second Android Security Annual Report, we find that only 71 per cent of devices are running …

  1. Carl D

    No more updates for me

    Well, I've just checked for software updates on my Samsung Galaxy Tab 3, 10.1 inch and, once again, I see "The latest updates have already been installed".

    I have Android version 4.4.2 which was installed nearly a year and a half ago. Doesn't look like I'll be getting any more updates, does it? So, what am I suppsed to do? Throw it away and buy a new one (which will probably also be 'obsolete' within a couple of years)?

    And, these things are not cheap here in Australia. I think I paid something between $300 and $400 for this one. Fortunately, I only use it occasionally these days. I have Firefox installed with the usual protection (NoScript, AdBlock Plus, etc.) even though Firefox seems excruciatingly slow most of the time on this device.

    1. Boothy

      Re: No more updates for me

      Similar here.

      I got an LG GPad 8.3, a freebie with my TV about 18 months or so back.

      That model (v500) was originally released in Oct 2013, so is basically 2.5 years old, and is still fast enough even for gaming, let alone regular usage, and it still only needs charging maybe twice a week.

      So to me, that's still a perfectly good piece of kit, and doesn't need replacement.

      But, it's been stuck on 4.4.2 for most of that time. It originally came with 4.2.2, but the OTA to 4.4.2 was released in mid 2014.

      There has been a few minor updates since then, just patches, or updated cruft, with the OS version remaining on 4.4.2 :-/

      And this despite there being a Google Play Edition that was updated to 5.1 in April 2015, that is the same hardware!

      I have looked at rooting the thing, and stick a custom ROM on, but so far I've not managed to get the drivers to work, in order to replace the boot loader (despite doing this fine on other devices in the past).

  2. Carl D

    I also have a Telstra Samsung Galaxy S2 4G smartphone that I've had for 4 years now. Still on the original battery too.

    That has Android version 4.0.4 from about 3 - 4 years ago which was the last update available for it. I guess some people think it's "cool" to change your phone every year. I don't.

    My S2 is on a Vodafone prepaid these days. And, I 'rooted' it quite some time ago and removed all the Google rubbish and some of the other useless stuff that was on it and disabled Internet access. I just use it as a phone (shock, horror), camera and MP3 player.

    1. Kevin Maciunas

      Cyanogen might be your best bet...

      I too have an old S2 and won't be changing it (fits nicely in the pocket). Currently runs CM13 (Marshmallow). SOOOO much smoother and slick than the original S2 codebase from Samsung! I just put CM13 on one of my daughters S3 and she reckons it is like a brand new current gen phone in terms of speed and smoothness. So I really do recommend it!

      The whole Cyanogen process is a lot more professionally done than the Telstra/Samsung debacle. I note there is CM for the tablet you have too :)

    2. Cynical Observer


      You rooted it.... but didn't choose to update it.

      As there are a selection of variants available ranging though KitKat and Lollipop (never looked for Marshmallow) I was just curious as to why?

  3. Steve Davies 3 Silver badge

    Google could fix this but they won't

    Google/Alphabet could (IMHO) fix this by insisting that anyone using the Android core and brand issue patches for at least 4 years (like apple????) or they must stop using Android and the branding.

    They own the trademark and the likes of HTC, Samsung etc are brining that trademak into disrepute but the lack of support. (IANAL etc)

  4. Medixstiff

    Most new tablets and phones being sold in shops are at KitKat level, Google can't do anything for cheaper units, which will be the main culprits.

    Samsung hasn't given a damn in the past considering they promised my Galaxy Tab 10.1 and S3 would be updated and that's never occurred.

    Hence why I'm not buying Samsung anymore, too many broken promises from them. I'm telling all my family and friends etc. the same thing. Don;t even get me started on their Samsung account nagware messages.

    I'm just waiting for the LG G5 to become more readily available and for any early bugs to be ironed out, so give it another month or two and I should have a new G5.

    1. Tromos

      Don't hold out too much hope

      As soon as early bugs have been ironed out is when the last of the updates you are likely to see will arrive. About the most you can expect is until the manufacturer gets their next model out on the shelves. When even Google break their promises and dump their Nexus 7, expecting support from other manufacturers is asking a bit much. Nexus purchased in September 2012, last update at beginning of 2015. Two and a half years for a device that was theoretically meant to be bang up-to-date for its entire life (battery still able to hold at least 80% of as-new charge, so a good while to go yet). Might as well get the cheapest no-name unit with the latest OS and replace it each year. For the same money, you stay up to date for 5 years.

    2. Anonymous Coward
      Anonymous Coward

      You know that KitKit gets security patches from Google right????

      So why does that make it insecure? What extra functionality would a L or M tablet offer? Please tell.

      I would also argue that only budget tablets are still shipping with KitKat. Quality tablets from Samsung, Sony, LG and they like are all on 5.1 or 6.

      My Xperia Tablet Z2 (2 years old) got Android 6.01 yesterday, same OS as my Nexus, seems like you have believed everything the Internet wanted you to believe.

  5. Anonymous Coward
    Anonymous Coward

    Why is 4.4.4 the arbitrary line for "vulnerable"?

    There are multiple known exploits for newer versions of Android, most likely the figure of Android devices vulnerable to known exploits is in excess of 99%. Sure, the older the version the more exploits they are vulnerable to, but it only takes one and an effective delivery method.

    Something involving social engineering will only take you so far, but if a hacker compromised an ad network serving major domains like CNN they could infect millions of Android devices in a single day. It is only a matter of time before something like that happens.

  6. Vince

    Well in my case I have intentionally not upgraded.

    My Z3 with 4.4.4 does all I want, and the UI is better than the later versions, I did try them but the new flashed the phone back.

    I have several nexus 7 tablets also on a 4.x branch which are used to control my home, from heating to lighting and the TV etc etc - none rely on any cloud rubbish, all of which work just fine and thus I've no good reason to upgrade them further. The apps and services work, the OS is reliable and it's not broken.

    Went would I risk breaking that?

  7. Doctor_Wibble

    Because it's a toaster!

    This is what happens when a complex device is sold under the guise of being no more difficult to use than a toaster you can takes selfies with and play infuriated budgies on. People certainly don't expect to have to replace it when it's still working perfectly well and it's not even old.

    And if like most it's not supported any more and like most you don't follow the security notifications then there's no way that most users are ever going to know unless someone actually tells them.

    So whose fault is it? A single person or an entire industry sector?

  8. BebopWeBop

    It illustrates the challenge that Google – and the Android user – face: a patch gets written at Mountain View, picked up by a manufacturer sometime, handed off to a service provider, and pushed to the user over-the-air.

    Just do the arithmetic. Even probabilities - Mountain View (P1), Manufacturer (P2), Serice Provide (P3), User P4. Assuming P1 is 1 (and I think Google do care :-) and an 80% makeup by the manufacturer (optimistic in some cases), 80% by the service provide and even 80% by the end user - who probably has not noticed the alert, even on this overly simplistic single application model , coverage is not going to be good.

    Moral, if you want an up to date update, use the Apple model. That is not to say they are on top of the problem, or the walled garden is the way to go, but simple probability will always hammer the multi chain version.

  9. BinkyTheMagicPaperclip Silver badge


    Yet another article stating the astoundingly obvious. No motivation for anyone to change their behaviour. No censuring of manufacturers who poorly support their devices in reviews.

    Want to do something useful? Point users at third party ROMs. My 2012 phone is running Marshmallow, and I have no plans to upgrade as manufacturers refuse to release landscape physical keyboard Android phones that are easy to root, and have a removable battery..

  10. HkraM

    Unsupported devices still under warranty

    I think I've had devices by Sony, Samsung, Motorola and Asus that all got one OTA update then became unsupported before the 1 year warranty even ran out. Two of them ended up running Cyanogenmod builds.

    It seems to me that the manufacturers can't even be bothered to support their devices for 1 year.

    1. paulc

      Re: Unsupported devices still under warranty

      "It seems to me that the manufacturers can't even be bothered to support their devices for 1 year."

      I was pleasantly surprised that Tesco did an update for my Hudl 2 even after they stopped selling them.

    2. Anonymous Coward
      Anonymous Coward

      Re: Unsupported devices still under warranty

      Lies. All sony devices get half decent updates. My 2 year old tablet just got android 6 from Sony a few days back, I have not come Across a Sony device that's not got decent support. Even their secuirty patches are reasonably timely (heartbleed was 3 weeks, regular Google patches lag Nexus by 1-2 months), way better than LG, htc and Samsung

  11. I_am_Chris

    This is exactly the reason why

    my next phone is going to be of fruity variety (no, not a Blackberry).

    I made the mistake of buying a supposedly supported Moto G from Three and have got exactly ZERO updates in over a year. This is despite the fact that Motorola are releasing updates.

    The Android patching model is fundamentally broken and Google/manufacturers/networks don't care.

  12. MatsSvensson

    Being the responsible every-day user that I am,

    I just checked for updates on my Sony-phone.

    It says don't worry, its already running the very latest version: Android 4.0

    Phew, got me worried there for a while!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like