According to watchdog Which?, users around the world could be exposed to data theft, ransom demands and malware attacks because their devices are no longer protected by security updates.
The organisation suggested anyone using an Android handset released in 2012 or earlier should be concerned.
While Google's own data says 42.1% of worldwide Android users are using version 6.0 or below of its operating system, the Android security bulletin says there were no patches issued in 2019 for versions below 7.0.
Which? insisted Google has "failed to provide reassurance that it has plans in place to help users whose devices were no longer supported".
The company's computing editor said: "It's very concerning that expensive Android devices have such a short shelf life before they lose security support, leaving millions of users at risk of serious consequences if they fall victim to hackers.
"Google and phone manufacturers need to be upfront about security updates - with clear information about how long they will last and what customers should do when they run out.
"The government must also push ahead with planned legislation to ensure manufacturers are far more transparent about security updates for smart devices - and their impact on consumers."