The UK consumer watchdog Which. made headlines last week when it declared that "more than one billion Android devices are vulnerable to hacker attacks."

At least one tech news site responded, "Duh." That's because the Which. announcement is old news, and anyone who understands the lifecycle of a smartphone knows that's why you need to replace your Android smartphone or tablet every three years and your iPhone or iPad every five years.

Gadgets get old quickly. Google releases a new version of Android every year and only does security updates for that version and the two previous versions.

Which. states that "Google has been repeatedly upgrading Android versions like a hungry child released on a dessert trolley," when in fact Apple does the same thing and only supports the two most recent versions of iOS.

The difference is that while Apple ensures that each iPhone model receives OS updates for five years (some models last longer), Google only guarantees security updates for three years - and that's with Google's own Pixel phones and only for third-party phones participating in the Android One program.

For other Android phones and devices, security updates could run out in as little as 18 months. (Keep this in mind when considering an Android TV or a car with an Android-based infotainment system.) This is not entirely Google's fault; part of the blame lies with device manufacturers who try to lock their customers into a rapid upgrade cycle.

In other words, if you have an Android phone that is more than 3 years old and you can't update it to Android 8 Oreo or later, leave it at home and buy a new phone to take out into the world. If your iPhone is 5+ years old and you can't update to iOS 13, do the same.

If you get a new Android phone, make sure it is one that will receive security updates in a timely manner; Google's Pixel phones and third-party Android One phones are within a week or two of the update being released. This is optimal because they will receive the update.

Updates for other phones are manufacturer-dependent, and it is not clear which phones are best for updates; one early 2019 study by Android Authority found Sony and OnePlus to be the best at distributing updates but Counterpoint countered in late 2019 that Nokia and Samsung were the update champions.

Whichever model of Android phone you get, you'll want to install one of the best Android antivirus apps because Google's built-in security protection, Google Play Protect, is terrible. Alternatively, buy an iPhone and you won't have to worry about it for five years.

Which. arrived at its headline conclusion by looking at a snapshot of market share for Android provided by Google in May 2019. At that time, "42.1% of active Android users worldwide (were version 6.0 or earlier)."

At that time, only Android 9 Pie, Android 8 Oreo, and Android 7 Nougat had received the update. It is not.

Ten months later, the situation is a bit better. Google has not updated its market share dashboard since May, but several third-party statistics services provide updated figures.

AppBrain collects data from "over 100 million monthly users" running apps that use AppBrain code. It estimates that on February 29, 2020, 36.8% of Android devices were running Pie, 21.6% were running Oreo, and 5% were running the latest version, Android 10.

This is 63.4% of live Android devices that can receive updates, or about 36.6% that cannot.The AppBrain survey found that about 12.8% of Android phones were running Nougat, but when Android 10 in September 2019 was released, that version of Android stopped being updated.

Statcounter collects data from "over 2 million websites" and aggregates which operating systems visitors are using. According to the report, in February 2020, 41.4% of Android users were using Pie, 20.2% were using Oreo, and 7.3% were using Android 10, for a total of 68.6%. 9% of devices able to get security updates. (Nougat's share was 6.7%, half of AppBrain's estimate.)

Still, even in this most optimistic possible picture, nearly a third of active Android devices remain unable to receive security updates. It is the users of those devices who are most likely to fall prey to scammers, hackers, and rogue apps.

So don't be one of the victims waiting in the wings: get an iPhone or an Android model that guarantees security updates for three years--a Google Pixel or Android One phone.