This article may contain personal views and opinion from the author.
If this is the image in your mind, I wouldn't be surprised. | Image by Image by PhoneArena via Gemini
Are Android updates a scam? I get asked this question very often. Don’t get me wrong, when you work at a place like this, being asked for tech advice is par for the course. But why would so many of my friends ask me about Android updates specifically?
Of course, it was because of marketing. Right now, the summary of some campaigns reads: “If you’ve run out of updates, your photos, money, and user data are in danger.” So I grabbed my metaphorical shovel and did some digging.
Those promises for decades of software updates are kind of a scam, yeah. But at the same time: not at all. That’s super important, and also why I love this topic.
You are the target, not your phone
Overthinking complex topics can be confusing. | Image by Cottonbro
Hold your breath, because I’m going to scare you: cyberattack! Oh, such a scary term. It takes our money away, pretends to be other people, and steals grandma’s valuables. It also allegedly hijacks phones.
Yes, undeniably so: software exploitation is part of cybercrime, and it’s super-duper important, hence why it is also scary. But do you know what also counts as cybercrime?
Phishing
Social engineering
Scam calls
Users not protecting their login info
Malicious apps, widely available on official app stores
I don’t think I need to highlight that to partake in most of the activities described above, you don’t need to know code, write code or wirelessly tap into someone else’s phone. All it takes is a convincing tone of voice, a sense of urgency, and a single phone call. And I’ll save you the trouble: most of end-user-facing cybercrime is exactly of this type.
There’s a critical difference between software exploitation and all the other types of cybercrime described above, and that’s the way in which users participate. It’s not up to you if someone sends you a malicious email, or calls you while pretending to be someone else only to try and scam you.
But it is up to you to protect your data, and not allow yourself to get into dangerous situations. That, however, comes at the cost of information and critical thinking: skills that the user must have. Yes, you must be relatively proficient in the same to escape from, let’s say, a social engineering attempt. But you can almost entirely escape the possibility of putting your tech in software-dependent danger through knowledge.
Nevertheless, even then, your phone isn’t impervious to hacking. And if that’s the case, how come my neighbor's old Moto G Power still supports NFC wireless payments if it hasn’t received a single security update in months? On paper, he’s supposed to be a prime target to get his money stolen. After all, even if you are careful — your phone isn’t impervious to hacking.
Well, let me put it like this: how many people do you know that have actually been hacked? Yeah, me neither.
The “scary” numbers don’t always add up
The information available is not always meant for us. | Image by Matias Mango
Why are we making all of this big fuss over security updates if people rarely get hacked?
Well, as it turns out: they do. I’ll spare you the boring numbers and esteemed namesakes, but there’s a ton of historical data to support evidence of thousands of imminent exploits. For a quick example, let's look at Project Zero, which has done fantastic work in this field, which has helped not just prevent similar attacks from happening again, but also stopped some in real time. That’d be genuinely amazing if not for one fine detail: Project Zero is funded by Google.
Which, just in case you’ve not paid attention thus far, is the company behind Android to begin with.
Now, after we’ve collectively raised our eyebrows, let me tone it down: of course, this isn’t the only company fighting the fight, nor does this diminish the impact of the results. It does, however, make things very skewable in a way that could benefit certain parties, and we shouldn’t need an excuse to find that odd.
But here’s the truly shocking part: there is no independent, third-party research that focuses on the impact on the end-user. That’s you, by the way — highly likely, at least — the guy or lady with the fancy phone, reading this right now, after playing two rounds of TFT and about to brainrot another hour away on Insta. We all do it. And as far as I can see, we’re quite the large party of people, heavily invested in owning phones — with that being a modern necessity nowadays — so why isn’t anyone researching how many of us are getting hacked?
Recommended For You
Of course, I started with asking around. Some people told me about a story “they know” about “a guy” who has gotten “hacked”, but it was always incomplete: nameless guy, unspecified exploit or period. In some stories, he even had an iPhone, and that detail seemed to bother just me.
Naturally, I proceeded with asking around online. But answers were not much more reassuring.
Users online continuously insisted that security updates are super-duper important, but failed to give me real-life examples of why. I moved on to tech forums, specifically those dedicated to Android development, and there I got more of the same, just way better reinforced.
But see, that’s the part that bugged me: of course the devs will say it’s important. It’s what they do for a living, and a lot of them — if contributors to the Android open-source community — don’t even get paid for it. Then there’s the case for professional bias: since these guys know how to fix many of these software exploit situations, they probably know how to make them happen too. That, naturally, makes them more paranoid. I mean, when’s the last time you saw a lifestyle coach eat at McDonalds, right?
Then there’s the other critical side: would you go public if you get hacked, or would you just quietly hope that no one found your embarrassing search history online? Would you report it to authorities, hoping you would get help? Many people don’t report real-life instances of abuse or violence, so we don’t have much reason to believe that the same would report getting their phone hacked (especially after they probably played right into it).
In short:
Cybercrime is bad (duh, it’s in the title)
We have tons of documentation to support that security risks exist
It’s practically impossible to measure the real impact on regular phone users
This paints a pretty bleak picture. But that’s just one side of it. Here’s the other:
Most users don’t use their phone in a dangerous manner at all. After all, if you don’t make risky moves and use your phone to make calls and browse the web, realistically you aren’t in much danger
Most software attacks that are on a high danger level don’t target people — they target companies, services, and products.
And while that second point may read like even more things to worry about, trust me: it’s great news.
You, and your phone, are safer than you know
It might seem like this, but it really isn't. | Image by Tima Miroshnichenko
I can’t go public with this info, so let’s collectively hope I don’t get sued over sharing this nonspecific information: I know for a fact that two huge corporations, acting on practically a worldwide scale, use Windows 7 as a backend for their software.
That’s an operating system from 2009, which stopped getting support in 2020.
These companies support millions of users. Does that mean that they are putting them in danger? No. And this is the key part. But let me provide an example that’s easier to understand:
Let’s say that one such company was a bank. Obviously, it doesn’t rely on Microsoft — developer of dead operating system Windows 7 — to get security updates. Instead, the bank’s internal team of security specialists has developed layers of security over the entire system, to ensure that what they need works without putting anyone at risk. Yes, Windows 7 is in the picture, but only as a base on which the action happens. In reality, your bank is making sure that you can use their app 100% safely… Even if it might be hosted on Windows 7 on the other end. Unverified info, don’t quote me on that.
But wait, it gets even better. I hope that your bank doesn’t host its app on a fishy link, and that you have downloaded it from Google Play. If yes, then you’re in luck: Google Play Protect is a thing, and it works very hard to ensure that the apps you are downloading are safe. Sure, the odd one slips through once in a while, but give Google a break: you too catch a cold once per year, right? Also, Play Protect works regardless of if your phone is getting regular updates or not.
There’s also Project Mainline — one of Google’s most ambitious ideas to date. Essentially, it enabled Android’s parts to get updated without messing up the hardware of your phone and without the need for its manufacturer to push out a full update. While this doesn’t remove the outright need for software updates, it means that using an older phone now is safer than it ever was before.
This essentially explains two things:
Most research focuses on companies and products, because that is what you — the end user, still pending on that Insta doomscrolling sesh, I hope — ends up using; By doing this, these companies can use the data to improve their security, which provides extra safety to you by proxy. Quite elegant!
All the fearmongering around security updates is wrong, because it’s based on research that doesn’t matter to you, and often impacts services that work really, really hard to eliminate those same threats before they ever reach your device.
Which is great. But that still doesn’t explain if security updates are a scam.
Risk is permanent, but life goes on
Cbyersecurity starts with your knowledge. | Image by Cottonbro
I’ll tell you a secret: if someone really wants to hack you, they probably will. You likely won’t ever find out. I have plenty of friends who work in the field of cybersecurity, and they are the same guys who have ‘trained“ me to be careful online. Yet, despite their tutelage, every time when I challenge them to hack me and I do my best to stop them, I fail.
But trust me, it’s a blast when I challenge them to write an article that makes sense, so touché.
I don’t want to scare you. I want you to find the thought above liberating. Because even if you are careful all the time and using the most protected smartphone on earth — you could always get hacked. At the same time, even if you use a years-old phone, you might never get hacked. It’s just a complex matter.
The part that bugs me is that a lot of the marketing claims around security updates may come off as fearmongering. And obviously, it’s not hard to see it that way when we know for a fact that numerous companies benefit from you getting a newer phone. At the same time, you must understand that the hyperbole in play isn’t meant to hurt you — it’s made to make you pay attention.
It’s like PSAs — real life isn’t as dramatic (or, let’s face it: cringe), but that made you stop and look. Same thing here: lots of noise so you are informed, and you notice.
Let me be perfectly clear: I’m not here to give you permission to whip out your favorite phone from seven years ago, because you can use it safely. I am here to fight misinformation and to arm you with knowledge.
Who’s really at risk?
Thrillseekers and enthusiasts: people who love high-level modding, sideloading apps, and doing funky stuff like downloading a “super-legit” .apk of the remarkable Dead Space game for smartphones, which is no longer supported but actually still works, from a “really secure” website (I’m this guy, btw, and we deserve to get this game back!) — let’s keep the hype up, but also on devices that are up to date, yeah?
Professionals of different fields like journalists, software developers, public figures – people who’d be easy to target because there’d be something to gain. I’d say that these guys should take extra measures and always stick to phones with active security update cycles.
What really matters about security updates:
Android software updates and security updates are awesome, and essential. It is always preferred to have those, and we should all fight to get even longer support cycles.
When your phone stops getting security updates, it’s not the end of the world. You don’t need to replace it immediately, and you won’t get hacked immediately after that.
If you are really debating getting a new phone, I’d say that lack of security updates should weigh in at about 30%. For context, I’m giving a broken screen 20% and a dysfunctional charging port 10%.
The real red alert should go off when your essential apps — banking, calls, messages, navigation — stop getting updates, or outright ask you to stop using them because they are outdated. This absolutely means that you must get a newer phone.
No matter what, your biggest weapon is your critical thinking. Don’t go with the flow: if something looks suspicious, it probably is. Even asking on Reddit is better than taking a blind risk.
Keep in mind that awesome projects like LineageOS breathe new life into old phones, which also includes security patches. It takes some tinkering and isn’t super-straightforward, but you’ll likely be able to get it done with a bit of help from a tech-savvy friend.
Best practices for keeping yourself safe:
Restart your device every so often. Even if someone is trying to get you, the connection will get interrupted, and in most cases, they’ll have to spend time establishing it again. A lot of criminals get turned off by this and just move on to another target.
Mind those toggles: stop things that you aren’t using, like Bluetooth or NFC. Each one of them is two-way, which means that someone can use them to get in. Plus, it’ll save you some battery life, which is always welcome.
Keep your apps updated. Turn on auto updates over WiFi. Manually check for new versions every other day, especially if you are using your device to handle sensitive data or for payments.
Back your stuff up. Yes, really. No, not just on the cloud — if you get hacked, that’s likely part of the picture.
Use 2FA! Seriously, people, it’s 2026. How many more times do I have to tell you? This can save you in extreme situations, especially if you’re already good on calling out social engineers.
Don’t risk it. If you’re wondering if it’s worth the risk: it probably isn’t. General life advice, btw.
What security risk would you like to see resolved soon?
Don’t live in fear, but stay vigilant
Trust your phone to be smart. | Image by Sora Shimazaki
Let’s face it: we can all most likely name at least one company that has tried to capitalize on the fear generated by cyberattacks by announcing that certain products will not receive further updates. And this is what bothered me enough to get me to writing this article.
Tech giants have to understand that a user’s security isn’t another monetization opportunity. If they are legit about the quality of their products, that should be the marketing aim. We don’t need fear tactics: we need good engineers, and more ways to teach people how to be safe online.
Yes, there will inevitably come a time when you have to replace your phone. But will that time come as soon as your update cycle is over? Realistically, for most people — no. If your phone is usable, and your essential apps are getting regularly updated, and you use your device a bit more consciously, you’ll likely be fine.
Stan, also known as Stako, is a smartphone enthusiast who loves exploring the limits of Android customization. His journey with mobile tech began with the Nokia 5110 and evolved with devices like the BlackBerry 9350 Curve and Samsung Galaxy A4. Despite his love for Android, he holds equal respect for Apple, considering the iPhone 4s as a significant milestone in mobile tech. Stan started his writing career early, contributing to MetalWorld, and harbors a passion for creative writing. Beyond smartphones, he's interested in photography, design, composition, and gaming, often preferring solo projects to hone his objective thinking. He's also an avid student of open-source technology and consoles, with a special fondness for the Pebble Watch, Arduboy, and Playdate.
A discussion is a place, where people can voice their opinion, no matter if it
is positive, neutral or negative. However, when posting, one must stay true to the topic, and not just share some
random thoughts, which are not directly related to the matter.
Things that are NOT allowed:
Off-topic talk - you must stick to the subject of discussion
Offensive, hate speech - if you want to say something, say it politely
Spam/Advertisements - these posts are deleted
Multiple accounts - one person can have only one account
Impersonations and offensive nicknames - these accounts get banned
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts:
New accounts created within the last 24 hours may experience restrictions on how frequently they can
post or comment.
These limits are in place as a precaution and will automatically lift.
Moderation is done by humans. We try to be as objective as possible and moderate with zero bias. If you think a
post should be moderated - please, report it.
Have a question about the rules or why you have been moderated/limited/banned? Please,
contact us.
Things that are NOT allowed:
To help keep our community safe and free from spam, we apply temporary limits to newly created accounts: