The consumer champion found that the short shelf life of phones supplied by manufacturers leaves owners exposed to hacking attacks by cyber criminals.

Which? looked at mobile phone contract deals across a range of retailers and found that 48% of the dozens of phones available could lose security support before the end of contract period.

The amount of data held on phones is a goldmine for criminals and a lack of updates potentially leaves them vulnerable to attacks that allow hackers to take complete control over the phone, steal personal information and could leave phone owners facing bills of hundreds of pounds for services that they have not used themselves.

The retailer with the highest proportion of devices that could lose update support was O2 – due to the fact that its contracts can last up to 36 months. Three-quarters (73%) will potentially be left unsupported at the end of the three years, and a fifth (21%) could lose support less than a year into the contract.

Why are security updates important?

Phones are designed to keep our personal information safe. Brands do this by sending out updates for you to download on to your handset. These often contain usability improvements and, more importantly, security patches, which fix any holes in the software that can be exploited by hackers.

Manufacturers don’t send this out indefinitely though, and some only support phones for two years after they launch. Once you are out of support, it is time to start thinking about upgrading. Your phone is not automatically insecure overnight, but the risks do increase the longer you wait.

The most vulnerable handsets

Which? estimated when a phone is likely to lose support by using its launch date, knowledge of brands’ official update policies and the support cycles of older handsets.

In its investigation, it matched this information with 50 contracts provided by Carphone Warehouse, 42 by EE, 62 by Mobiles.co.uk, 48 by Mobile Phones Direct, 73 by O2, 50 by Three and 66 by Vodafone.

Which? researchers came across a number of popular handsets due to run out of support less than a year into the contract. These include:

• Motorola G8 Power – sold by mobiles.co.uk and Vodafone
• Oppo Find X2 Lite – sold by EE, Mobile Phones Direct, mobiles.co.uk, O2 and Vodafone
• Samsung Galaxy S9 – sold by Vodafone

All were available despite no indication to consumers that they would soon pose a security risk through a lack of updates.

Mobile phone retailers

Across the board, mobile phone retailers were selling a whole host of devices that could lose security support before contracts ended.

In addition to O2, the proportion of contract phones on sale where there were similar problems were Carphone Warehouse (52%), Mobiles.co.uk (50%), Vodafone (50%), Three (40%), Mobile Phones Direct (38%) and EE (33%).

Lack of transparency

Which? says a lack of transparency around important updates is a big part of the problem. Four in 10 (40%) smartphone owners think that if they buy a phone on contract it will receive security updates throughout the contract period, according to a Which? survey.

It is also clearly an issue that matters to consumers – seven in 10 (69%) said that they would be concerned if their phone was no longer receiving security updates.

What do the networks say?

EE and Three disputed some of the mobile phone models included in Which?’s analysis – and said that these phones would be supported until the end of contracts. Vodafone said that “support generally extends beyond the timeframe you reference.” However, Which? believes these phones could be out of support before the end of contracts, according to its research.

Which? is calling for mobile phone brands to provide security updates for a minimum of five years from a model’s release. It says a lack of support can mean phones end up with needlessly short lifespans that could mean phones are discarded earlier than they should be or end up in landfill. It can also lead to insecure phones being sold second-hand.

The consumer champion is calling for manufacturers and retailers to be far clearer with consumers about how long phones are going to be supported with security updates so they can make more informed choices and protect themselves against these security risks.

Kate Bevan, Which? Computing editor, said: “Mobile phones without the latest security support could leave consumers vulnerable to hackers, so it is important that manufacturers supply these defences for longer and that retailers are clearer with people about the risks posed by phones that will not receive vital updates for the duration of contracts.

“The government’s Product Security Bill needs to ensure that manufacturers state the date a device will be supported until – and that this information is clearly displayed on retailers’ websites. Devices need to be supported for five years minimum across all manufacturers so that consumers are better protected.”