Even the newest phones are vulnerable to zero-day attacks. Older ones are sitting ducks, left to the mercy of cyber criminals looking to exploit well-documented vulnerabilities.
Many of the most popular older phone models are stuck with obsolete operating systems that lack updated security features.
For example, security support for Android 10 (Queen Cake) ended on the 6th of March. All older Android versions below Android 11 have been obsolete for a while now. But that doesn’t stop users from using their old devices.
In the US, one out of three Android phones (33.86%) ran on an outdated Android version (10 or lower), according to Statcounter.com. Even phones with newer Android versions may no longer receive security updates.
The situation is worse globally, with 41.42% of phones running unsupported Android versions.
Popular phones from 2019 reaching end of life
Many Samsung phones released four years ago, including most variants of 2019’s flagship Galaxy S10 and the popular budget phones like Galaxy A70, A50, or A30, no longer receive security updates, as disclosed in samsungmobile.com. The ‘s’ versions of the same A models are still on the supported devices list with biannual updates.
Samsung Galaxy S10+ still holds the crown as the most popular phone, according to online research group YouGov. But its life ended in April 2023. The first foldable Samsung Galaxy Z Fold has also already received its last security updates.
The newer S10 Lite and Note10+ variants will receive longer quarterly updates, as those models were released in 2020 after Samsung announced support for a minimum of four years for new devices.
The well-received Google Pixel 5 retires on October 2023, while Pixel 5a with 5G will last longer until August 2024, according to Google.
2023 is the last year the older Pixel 4a will be updated, as planned support ends in August for the non-5G version. The 5G version will end its life in November.
Newer Pixels are protected by security updates at least until October 2026 for Pixel 6 and 6 Pro.
Apple has a reputation for supporting iPhones long after they leave the shelves. However, iPhone 7 or older phones have not received the newest iOS 16 version. While that leaves users without new features, the phone still receives iOS 15 security updates (as of July 24, 2023). The next in line to drop support is iPhone 8, which is still a capable device in 2023. While it runs the latest iOS 16 version, it’s unlikely that the model will receive iOS 17, yet some believe that basic updates might continue in 2024 or even 2025.
Critical vulnerabilities discovered each month
Even some currently supported phones are at risk, especially if they’re updated quarterly or biannually. This means that new, critical flaws may be exploited long before the fix arrives.
Android security bulletins reveal that critical vulnerabilities are discovered each month, including July.
“The most severe vulnerability in this section could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation,” the Android security bulletin of July 2023 writes.
One OS vulnerability has a critical severity, and there are reports that three other vulnerabilities may be under limited, targeted exploitation, affecting all supported Android versions (11-13).
Still not convinced about the need to upgrade? Cybernews security researchers have more to say.
Researchers: your phone is a warehouse full of data
Vincentas Baubonis, information security researcher at Cybernews, believes that every phone user should know how essential security updates are.
“Picture this, your phone is like a data warehouse that’s full of valuable information credentials to various services, your communication, banking, and payment applications, and other sensitive stuff. If you stop applying security updates to this warehouse, it’s practically the same as leaving the doors wide open for anybody to enter. Unmitigated vulnerabilities often lead to exploits, which lead to mobile trojans and spyware being installed onto the end user’s device. That subsequently allows for a full device takeover and confidential information breach,” Baubonis explained.
The device should be continuously updated, preferably with automatic updates, and if it reaches the end of its life, Baubonis recommends replacing it with a newer one.
According to Mantas Kasiliauskis, information security researcher at Cybernews, cybercriminals are very quick to exploit known vulnerabilities.
"For example, if there’s a written exploit in the Metasploit tool (widely-used penetration testing and exploitation framework), the attacker could exploit a vulnerable device within minutes," he said.
Usually, the time needed for an attack varies widely, depending on the vulnerability's severity, the affected software's popularity, and the exploit's complexity.
Even though everything seems to be working fine, according to Kasiliauskis, the most significant risk for an old device is the presence of unpatched security vulnerabilities in the operating system and pre-installed apps. Over time, new vulnerabilities are discovered, these add up, and without updates, the devices remain exposed to potential attacks and exploits.
“Outdated devices are more susceptible to malware infections, which could compromise sensitive data, identity theft, unauthorized access, and many more. Also, if the phone no longer receives updates, it could lead to app incompatibility, and it could not access certain features,” Kasiliauskis explained.
The device may not show any signs of being compromised. The most common visible signs could be an unusual battery drain, slow performance, overheating, strange pop-ups or ads, new and unfamiliar apps, etc.
iPhones have security advantages compared to Android devices as Apple tends to provide software updates for longer than most Android manufacturers.
“The iOS ecosystem is more closed and controlled by Apple. This means that Apple can limit the installation of apps from third-party sources. It’s worth mentioning that iPhones use hardware-based encryption by default, providing an extra layer of protection for user data,” Kasiliauskis concluded.
Subscribe to our newsletter