I have a Pixel 4a (with Calyx) for a few years already (start of 2021) and it's still going great. The battery is okay. Everything works nice. It's smooth. It runs everything perfectly fine.
This makes me glad to see that hardware wise this phone was really built to last, I can't even count how many times I dropped it so hard that I was scared to see the damage (which was always either nothing or a broken screen protector)
But software wise I'm screwed as security updates are already gone from Google and I only get the extended support from Calyx which will also end soon.
Now I'm forced to choose between having a phone that is insecure or buying a new one.
So thanks Google for the high quality hardware, but what's up with this software planned obsolescence??
I know this isn't exactly right to repair, but it also kind of is because if Google decided to ditch the 4a, they should be forced to open source the software so that the public can actually repair it.
I'm sure that some of their latest updates can be modified slightly to work for the 4a, but they don't care and for them this is a win-win since they don't have to maintian support and they get new customers who would otherwise be satisfied with an "old" phone.
What happened to the days when an old phone meant a phone that was already crumbling to pieces, and not a fully functional computer that is slightly older then a toddler?
Botnets targeting android devices are a thing, here's an example: https://blog.fox-it.com/2023/09/11/from-ermac-to-hook-investigating-the-technical-differences-between-two-android-malware-variants/
In this example, they're renting access for thousands of dollars. These people have a clear motivation to find ways to exploit devices and unpatched CVEs are an easy way for them to do that.
Look, when it comes to security statistics, a lot of it is locked behind closed doors in all kinds of big security companies. I can tell you personally that I have worked in such a company and you could see a lot of exploitation (attempts) on Android devices. It was there.
Look once there's a CVE and there is a POC for it. Usually there comes a Metasploit module for it and then it's for sure being used by a bunch of people.
Look, I have no interest in convincing you, you can also find some materials online but yeah, plenty of this info is closed source, that's just how it is with some industries.
If you want to throw caution to the wind because you couldn't find anything that is your choice.