One guy acting strangely is a nut. A bunch of people doing the same thing is called a church. - Shawn Mahaney
We asked some of the major security vendors for their opinions on this issue and what sorts of threats users on older versions of Android are not protected against.
Trend Micro's Rik Ferguson agreed that Android users should be concerned about being left high and dry after receiving only one update to their mobile device.
"It's indisputable to say that a lack of updates to older versions of Android OS will expose users of that platform to greater risk," Ferguson said.
"Some of the updates include patches for identified vulnerabilities that could lead to the dreaded ‘remote execution of code', other updates may add, for example, important security-related functionality such as encryption or address space layout randomisation (ASLR) that make a device less susceptible to compromise or exploitation. So, the increased, or perhaps rather undiminished, exposure is clear."
Romanian security firm Bitdefender also raised concerns over the number of Android users left without updates to the latest software versions.
The firm's chief security strategist, Catalin Cosoi said, "Malware that broadcasts all data from infected devices to an attacker-controlled server, or SMS Trojans that constantly run in the background and send text messages to premium rated numbers, were mostly reported on Android 2.2 Froyo and Android 2.3."
Cosoi explained that Android's customisable system that allows OEMs to create signature apps and unique mobile experiences enables fragmentation, and that the fast adoption of low-end devices that run deprecated Android versions leave users exposed to either old malware or new threats based on vulnerabilities documented years ago.
"Since Android security updates can sometimes take eight to 10 months to reach users - best case scenario - it leaves a wide window of opportunity for malware coders to develop and deliver Trojans and whatnot," Cosoi added.
"With a high price on personal data and millions of Android devices running out-of-date builds such as Froyo, coders will likely find new ways to develop malicious apps and trick users into downloading and installing them."
Mobile security outfit Trustgo backed up these claims in its latest study, finding that over 25 percent of Android apps worldwide feature code that can leverage application permissions and create security vulnerabilities.
Of the 2.3 million Android apps analysed by Trustgo in the fourth quarter of 2012, 511,000 were identified as high risk, defined as being able to make unauthorised payments, steal data or modify user settings.
But what do the manufacturers have to say for themselves? We asked a few of the major players - HTC, Sony and LG - why they are happy to leave their customers on older versions of Android where they could be exposed to the kinds of threats Trustgo, Bitdefender and Trend Micro highlighted.
Samsung's excuse was that although it does work closely with the OS providers to offer the latest software to as many devices as possible, the hardware specifications of some models are limited to, and fully optimised for, the experience of the OS that the device launched with, the latest OS at time of launch.
"As well as OS upgrades, Samsung continues to work hard to improve usability, provide advanced features and additional value for customers, the firm said. "Samsung will stay committed to providing the best possible mobile experience for consumers."
We are still awaiting comments from the other manufacturers we contacted.
Though it might be manufacturers that are largely at fault, Trend Micro's Ferguson pointed out that a major part of the problem with Android vulnerabilities is human nature.
"The vast majority of malicious mobile apps are still Trojans, exploiting the victims' curiosity, or desire for a freebie," he added, hinting at how many users need to be more aware when using the OS, and not get duped by suspicious ‘too good to be true' offers in pop ups, counterfeit apps from fake app stores and links that offer a prize for clicking on them.
These latest figures demonstrate that Android handset makers need to up their game when it comes to keeping their older customers up to date and safer from mobile security vulnerabilities. But perhaps they are also a warning to all smartphone and tablet users on all versions of Android - old and new - to remain vigilant and be careful about how they spend their time with Google's mobile operating system. µ
Sign up for INQbot – a weekly roundup of the best from the INQ