Roughly one billion people are currently carrying devices that Google no longer protects with system-level security patches. One. Billion. That isn’t a rounding error or media sensationalism, it’s the cold arithmetic of Google’s own distribution stats crossed with the global Android user base.
If your Android phone launched in 2021 or earlier and is still running Android 12 (or older), Google has officially stopped sending it security patches. That decision, which became final in the first half of 2025, quietly moved roughly one billion active Android devices into a high-risk category.
When you multiply that percentage by the estimated global Android user base, the math lands somewhere between 950 million and 1.1 billion devices that are, from a software-security perspective, frozen in time.
This isn’t a minor technical footnote. It’s one of the largest simultaneous security exposures in consumer technology history.
According to Android’s most recent platform distribution statistics (the same numbers Google publishes monthly), only 57.9% of all active Android devices worldwide are currently running Android 13 or newer — the versions that still receive monthly or quarterly security updates from Google.
That leaves 42.1% — more than four out of every ten Android phones — running versions that no longer get system-level fixes for newly discovered vulnerabilities.
That means no more fixes for kernel exploits, no more patches for media-framework remote code execution bugs, no more hardening of Bluetooth and Wi-Fi stacks, no more updates to the parts of Android that actually matter when attackers want to get inside your device silently.
And yet millions of people shrug and say:
“My phone still works perfectly.”
“I don’t download shady apps.”
“It’s only three-four years old — it’s not that old.”That attitude is no longer naive. It’s dangerous.
Google develops Android and maintains the AOSP (Android Open Source Project) codebase. But outside of its own Pixel phones, Google does not control when or whether most manufacturers actually ship updates to end users.Samsung, Xiaomi, OPPO, Vivo, realme, Motorola, OnePlus, Tecno, Infinix, Transsion brands, and hundreds of smaller players each maintain their own fork of Android, their own update schedules, and their own end-of-life policies.
Most mid-range and budget phones receive only 2–3 years of major OS updates and sometimes only 3–4 years of security patches — if they’re lucky.Flagships from 2020–2021 often received four major OS upgrades (e.g., Android 11 → 12 → 13 → 14), but very few crossed into Android 15 territory.
By early 2026, the majority of those devices have reached the end of their promised support window and are now officially unsupported.
Apple’s model stands in sharp contrast. Because Apple controls both hardware and software, it routinely delivers iOS and security updates to phones that are six, seven, and sometimes eight years old.
Current StatCounter estimates show roughly 50% of active iPhones already on iOS 26 (the newest version), with another ~40% still comfortably on iOS 18 — meaning nearly 90% of the iPhone population is running versions that continue to receive patches. The security longevity gap between the two ecosystems has been wide for over a decade and shows no sign of closing.
Google has repeatedly emphasized that Play Protect continues to operate on devices running Android 7.0 and newer — even those long past end-of-support.
Play Protect does three useful things:
- Scans apps (both from Play Store and sideloaded) against known malware signatures
- Delivers updated threat definitions in near real-time
- Can warn users about or block dangerously behaving applications
That protection layer is meaningful. It catches a large percentage of commodity malware, adware, and trojans that rely on known malicious patterns.But security researchers, penetration testers, and incident-response teams are unanimous on one point: Play Protect cannot replace missing OS-level patches.
However, Google stopped sending security updates to Android 12 and older in early 2025. Full stop.That instantly turned hundreds of millions of still-perfectly-functional-looking phones into ticking time bombs from a cybersecurity perspective.
We’re not talking about theoretical nation-state attacks. We’re talking about commodity banking trojans, SMS-stealing malware, accessibility-service abuse kits, overlay scams, and OTP-forwarding spyware that teenagers can buy on underground forums for $200–$800 in crypto.
These tools are specifically tuned to exploit exactly the kinds of unpatched vulnerabilities that pile up on Android 10, 11, and 12 devices that haven’t seen a meaningful system patch in 12–24 months.
What actually gets stolen
The most common financial attack patterns seen in 2025–2026 on unsupported Android devices include:
- Overlay attacks — fake banking login screens that capture credentials and OTPs
- Accessibility-service abuse — malware that turns itself into an “accessibility helper” and reads the screen contents in real time
- SMS-interception trojans — apps that silently forward incoming OTP messages to attacker-controlled servers
- Keyloggers and form-grabbers — capturing UPI PINs, credit-card details, trading-app passwords, crypto-wallet seeds
- Ransomware variants that encrypt photos, documents, and contacts and demand payment via cryptocurrency
In India alone, UPI fraud reports surged again in 2025, with a significant portion traced back to Android devices running Android 11 or older. Similar patterns appear in Brazil, Indonesia, Nigeria, and other Android-dominant markets where mobile banking has become the primary way people move money.
And the worst part? The people most exposed are often the ones who can least afford to lose money:
- Daily-wage workers in India using UPI for every vegetable, rickshaw ride, and electricity bill
- Small traders in Indonesia, Nigeria, Brazil, Philippines relying on mobile banking
- Students sending money home
- Parents managing family expenses
- Retirees using digital wallets because going to the bank is now difficult
When ₹30,000 disappears in three UPI transactions you never authorised, or when a ₹2 lakh personal loan appears in your name that you never applied for, “my phone still works fine” stops being a defense. It becomes an epitaph.
Play Protect is not your guardian angel, stop believing the marketing
Google keeps repeating that Play Protect still works on Android 7 and newer.Yes, it does.
And it’s helpful, against 2018-level malware.But Play Protect is an app scanner with updated signatures and some behavioral heuristics. It is not a replacement for missing OS patches.
When a banking trojan exploits an unpatched privilege-escalation bug in the kernel to gain system-level access, it can:
- Disable Play Protect
- Grant itself accessibility privileges without asking again
- Read every notification
- Overlay fake login screens
- Intercept SMS silently
- Record the screen while you enter your UPI PIN
Play Protect will never see most of that chain because the damage happens below the app layer, in parts of the system Google no longer patches on those old versions.
Pretending that “Play Protect is still protecting me” is like saying your house is safe because you have a good front-door lock while every window on the ground floor has been broken for two years.
The manufacturers don’t care and Google can’t fix their mess forever
The real villain here is Android’s eternal fragmentation tragedy.Google makes Android.
Google pushes monthly security patches to Pixels for seven years now. Google begs manufacturers to ship updates faster and longer.
And most manufacturers still treat phones like disposable appliances:
- Two major OS updates
- Three years of security patches
- Then silence
Samsung has improved. Google Pixels are excellent. Nothing and some Motorola models are trying. But the overwhelming majority of the billion vulnerable devices come from brands that stopped caring years ago.
That leaves you, the user, holding the bag.My honest, no-sugar-coating advice in 2026
- Right now, open Settings → About phone → look at your Android version and your last security patch date.
- If you see Android 12 (or older) and your security patch level is before mid-2025 → your device is already in the danger zone.
- If your manufacturer’s website confirms no more major upgrades or security patches are coming → accept that this phone is no longer safe for anything involving money or private credentials.
If you’re stuck on Android 12 or below and the manufacturer has confirmed that no further major upgrade is coming, the honest recommendation is straightforward: replace the device.
You do not need to buy a ₹80,000–₹1,50,000 flagship. The security improvement comes from the version number and the update promise, not the price tag.
Excellent mid-range options launched in 2023–2025 (now widely available at steep discounts) ship with Android 14 or 15 and are promised at least four years of security updates — often five. Brands that have noticeably improved update performance include:
- Samsung (A-series and higher models after 2022)
- Google Pixel (even older Pixels still get excellent support)
- Nothing Phone
- Motorola (select Edge and Moto G models)
- Xiaomi / POCO / Redmi (HyperOS devices launched 2024 onward)
Even a ₹15,000–₹25,000 phone released in the last two years will almost certainly be far safer than a 2020 flagship still running Android 11 in 2026.
The bigger picture — and the uncomfortable truth
Android’s fragmentation was once dismissed as a trade-off for openness, choice, and affordability. That argument is becoming harder to defend when the consequence is leaving a billion people exposed to preventable exploits.
Google deserves credit for extending support longer than most OEMs expected and for continuing Play Protect coverage.
But the company has also made its position clear: it will not indefinitely back-port security fixes to versions that are six or seven years old. Resources are finite, and the attack surface grows exponentially with age.
The result is a stark reality check: security longevity is now a primary purchasing criterion, not an afterthought.
Just as most people no longer buy a car without airbags and ABS, the next generation of smartphone buyers will (and should) ask: “How many years of security updates does this get?”
Until manufacturers collectively commit to longer support windows — or until regulators force minimum support periods — the safest choice is to treat any Android phone stuck on Android 12 or older as a ticking liability.
If that phone holds your banking apps, UPI IDs, stock-trading logins, family photos, work emails, or two-factor authentication codes, the calculation is simple:
The cost of a new mid-range phone is almost always lower than the cost of a drained account, a fraudulent loan in your name, or months of identity-theft recovery.
The uncomfortable truth nobody wants to say out loud
In 2026, continuing to use an Android 12 (or older) phone for mobile banking, UPI, stock trading, crypto wallets, or two-factor authentication is not “being practical”.It is willful risk acceptance.You are actively choosing to roll the dice every single day — knowing full well that the dice are loaded against you.
The house (cybercriminals) wins far more often than most people admit.If you wouldn’t keep using Windows XP in 2018 to log into your bank, you shouldn’t be using an unpatched Android 12 phone in 2026 to do the same thing.
Check your version tonight.
Be honest about what you see.
Then decide whether you’re willing to keep playing Russian roulette with your money and your privacy.
I already made my choice.
I replaced my old device the moment it fell off the security train.
I sleep better because of it.You should too.
Naorem Mohen is the Editor of Signpost News. Explore his views and opinion on X: @laimacha.