Mobile phone retailers are selling devices that could lose vital security updates before pay monthly contracts have finished, leaving them exposed to cyber criminals, according to Which?.

The consumer organisation found that 48% of mobile phone deals across a range of retailers could lose security support before the end of the contract period.

It warned that the lack of updates potentially left owners vulnerable to hackers who could take control of the phone and steal personal information, or even facing bills for hundreds of pounds for services that they have not used themselves.

Which? named O2 as the retailer with the highest proportion of devices that could lose update support due to its contracts lasting up to 36 months.

Some 73% of O2 customers would potentially be left unsupported at the end of the three years, and a fifth (21%) could lose support less than a year into the contract.

All were available despite no indication to consumers that they would soon pose a security risk through a lack of updates.

In addition to O2, the proportion of contract phones on sale where there were similar problems were Carphone Warehouse (52%), Mobiles.co.uk (50%), Vodafone (50%), Three (40%), Mobile Phones Direct (38%) and EE (33%).

However a survey by Which? found that 40% of smartphone owners believe that their phone will receive security updates throughout the contract period, while 69% said they would be concerned if their phone was no longer receiving security updates.

Which? computing editor Kate Bevan said: “Mobile phones without the latest security support could leave consumers vulnerable to hackers, so it is important that manufacturers supply these defences for longer and that retailers are clearer with people about the risks posed by phones that will not receive vital updates for the duration of contracts.

“The Government’s Product Security Bill needs to ensure that manufacturers state the date a device will be supported until – and that this information is clearly displayed on retailers’ websites. Devices need to be supported for five years minimum across all manufacturers so that consumers are better protected.”

An O2 spokesman said: “Manufacturers set the security patch lifespan of their devices, covering around three to four years for newer models. O2 customers can choose tariffs up to three years in length with our O2 Refresh plans, customisable between three and 36 months.

“We are proud to have led the industry here, as by splitting airtime and device costs customers have true flexibility over how they pay for their mobile phone. However customer security is an absolute priority, so should manufacturers advise that one-off security updates are required outside of their set lifespan, we would work closely with them to ensure customers receive the updates needed.”

EE and Three disputed some of the mobile phone models included in Which?’s analysis, saying that these phones would be supported until the end of contracts.

A Three spokesman said: “Software updates are managed by device manufacturers and Three customers are provided with the updates for as long as the manufacturers release them.”

Vodafone said that support generally extended beyond the timeframe referenced by Which?, adding: “Vodafone works closely with its suppliers to ensure that the devices it provides to customers are supported with OS and security updates.

“Though there may be some variance to the lifecycle support duration depending on the device and its manufacturer, in practice this support generally extends beyond the timeframe you reference. In general, we see that the length of support has become longer over the years.”

Dixons Carphone, owner of both Carphone Warehouse and Mobiles.co.uk, said: “We would welcome manufacturers providing us with clearer communications around mobile phone security update policies to pass on to our customers.”

A Mobile Phones Direct spokeswoman said: “We will continue to work closely with our handset manufacturer partners to ensure customers know they need to adopt the latest software updates throughout their contract period.”

Motorola said it was “committed to regular and timely security upgrades as recommended by Google/Android”.