Google has now released details of October’s Android security update, warning that the most “severe” of seven high-severity vulnerabilities “could lead to remote code execution with no additional execution privileges needed.” There are also a raft of high-severity fixes for third-party components, which leave devices at risk.
As usual, the situation for Pixel owners is more straightforward than other OEMs, and that’s especially true for Samsung users, still reeling from the surprise delay to Android 15 suddenly confirmed last week. Samsung has also issued details of its own October security update, which thankfully now includes two critical Qualcomm vulnerabilities delayed from September’s Android update.
Not all Pixel and Samsung devices are eligible for updates, of course, and you should check to ensure you know if you are still getting these critical updates. You can do so here for Pixel and Samsung, with the latter also detailing whether those updates are monthly, quarterly or even biannually. Suffice to say, if you’re not on monthly updates then there will be significant periods of time when your device is at risk.
The duration of support eligibility has become something of a competitive battle between Google and Samsung, with it now significantly longer than before. Seven years has become the new standard for flagships, which will likely outlast the utility of the device, especially as annual AI performance updates become the norm and some of those features make their way onto low-priced phones.
Samsung is even extending support for budget devices, with the new Galaxy A16 5G, launched to go head-to-head with Chinese low-end devices, comes with six years of support—unprecedented at that level. “If you buy the Galaxy A16 5G,” says Android Authority, “you can expect updates till October 2030. If you weren’t convinced that Samsung is the king of software updates, we hope you are now.”
But elongated support is a new shift for Android, and there remain a staggering number of devices that have fallen off the support roundabout, which when support eligibility was just three or four years was easy to do. Zimperium’s Global Mobile Threat Report, published a fortnight ago, warns that a staggering 14% of Android devices used within enterprises “cannot be upgraded, leaving them susceptible to exploitation.” The number is far lower for iPhones, with just 1% at risk.
That’s the enterprise risk, but Zimperium also reports a higher 18% share of Android devices now running versions of the OS that can no longer be upgraded, which is broadly the same for iPhone. Given the much more open nature of Android, the risks are higher—especially going back several years. And while Google’s various services updates will still protect devices to an extent, the risks are very high.
ESET’s Jake Moore warns that “out of date operating systems can be left vulnerable to attack as criminals look for any vulnerabilities that aren’t patched and target people’s data. When phones and tablets are left without patch management, they miss out on all the latest security updates. They may be safe for the first few weeks or even months after their support has come to an end, but over time, even if the devices seem healthy, they could still easily be targeted by newly located vulnerabilities.”
The stats suggest at least 500 million Android devices are now at risk, with OS versions no longer eligible for support. StatCounter says almost 34% of devices are on Android 14 and 20% on Android 13, but one in five still use Android 11 or 12, and an alarming 4% still lumber away on Android 9, which Google stopped supporting in 2021. Android 10 reached end of life in 2023 and Android 11 in February this year.
In total, this means around 25% of Android devices are running end-of-life OS versions, or up to 750 million of 3 billion phones. Bizarrely, as bad as that situation is, it’s an improvement over the billion-plus devices reported to be out of support in 2020, which was an appalling 40% or two out of every five devices in use at the time.
Not only do you need to ensure your device is eligible for support, but that it gets those updates when they’re released. “It is important to make sure devices are set to auto update their operating system,” Moore says, “but when these devices are at their end of life, it is worth considering purchasing a newer phone or tablet that offers the latest, most secure updates to stay protected from the latest threats.”
When compared to Apple’s everyone all at once approach to iOS updates, the situation for Android is more complex, with updated deployed by OEM, model, region and network, drip-feeding al through the month. Reports are still coming in of Samsung devices just now getting September’s updates, which in itself saw critical updates—per above—delayed a month.
It has been a dangerous year for Android, with multiple warnings that critical security threats had triggered attacks in the wild and emergency patching. Don’t take the risk—especially in a world when a cheap device with multi-year support is now available.