CERT-In's High-Risk Alert: A Survival Guide for Indians Using Phones Without Security Updates

In a stark warning issued in May 2025, the Indian Computer Emergency Response Team (CERT-In) flagged multiple high-risk vulnerabilities in Android versions 13, 14, and even the pre-patched version of 15. The agency warned that these flaws could allow attackers to remotely execute code, access sensitive personal and financial data, and even disable devices. While this alert prompted manufacturers to roll out security patches for newer phones, it left users of older, unsupported devices in a perilous position. If you own a phone that no longer receives security updates, you are permanently exposed to these and countless other threats. However, being vulnerable doesn't mean being defenseless. Here is a practical survival guide to mitigate the severe risks posed by AI-powered threats in 2025. **1. Acknowledge Your Device's Status and Limit Its Use** The first and most crucial step is to accept that your phone is inherently insecure. Check your security patch level by going to `Settings > About Phone > Android Version`. If the date is more than six months old, you should consider your device unsupported. Given this, you must treat it as a compromised device and limit its use for sensitive activities. Avoid using it for mobile banking, UPI payments, storing sensitive business documents, or engaging in confidential communication. If possible, relegate the old phone to secondary tasks like music, offline maps, or as a basic calling device, and use a newer, supported device for your digital life. **2. Install a Reputable Mobile Security Suite** While your phone's operating system is vulnerable, a high-quality mobile security application can provide a critical layer of defense. Choose a suite from a reputable provider like Kaspersky, Malwarebytes, or Bitdefender. These applications can't patch the OS-level vulnerabilities, but they can: * **Scan for Malware:** They can detect and block known malware, including some variants of Trojans like 'RewardSteal'. Their databases are constantly updated to fight new threats. * **Web Protection:** They can block you from accessing known phishing and malicious websites, even if you are tricked into clicking a deceptive link in an SMS or email. * **App Vetting:** Some security apps can analyze the other apps on your phone, flagging those with overly intrusive permissions. **3. Scrutinize Every App Permission** This is one of the most powerful tools at your disposal. Modern mobile malware, especially Trojans that aim for remote access and financial theft, relies heavily on abusing powerful permissions. Be extremely cautious about granting any app, especially one downloaded outside the Play Store, access to: * **Accessibility Services:** This is the 'master key' for malware. No app should require this permission unless it is a genuine accessibility tool for users with disabilities. Granting it allows an app to see everything on your screen and control your device. * **SMS:** Be wary of apps that want to read or send your text messages. This is how malware intercepts OTPs. * **Device Admin:** This permission makes an app very difficult to uninstall. Scrutinize any app that asks for it. Regularly audit your app permissions in your phone's settings and revoke any that are not absolutely essential for the app's core function. **4. Disable 'Install from Unknown Sources' and Stick to Official Stores** Never sideload applications (install APKs) from websites, email attachments, or messaging apps. This is the most common way malicious software gets onto a device. While even the official Google Play Store is not 100% foolproof, it has robust scanning mechanisms that block the vast majority of malware. Ensure the 'Install from Unknown Sources' setting is turned off for all your apps. **5. Become an Expert at Spotting AI-Generated Scams** Since AI makes scams look perfect, you need to change your verification tactics. Do not trust the content of a message; trust the contact method. If you receive an urgent SMS from your bank, do not click the link. Close the message, open your browser, and manually type your bank's official website address or use the official app. If you get a WhatsApp message from a friend asking for money, call them on their known number to verify. Be inherently suspicious of any unsolicited message that asks you to click a link, download an app, or provide personal information, no matter how legitimate it appears. For users of unsupported devices, this vigilance is not optional—it is your primary firewall.