The vulnerability could leave users around the world exposed to the danger of data theft, ransom demands and other malware attacks.
Anyone using an Android phone released in 2012 or earlier should be especially concerned, it said.
Which? says it was not reassured by Google's response.
And the tech giant has not responded to BBC requests for a comment.
Google's own data suggests that 42.1% of Android users worldwide are on version 6.0 of its operating system or below.
According to the Android security bulletin, there were no security patches issued for the Android system in 2019 for versions below 7.0.
Extrapolating this data, Which? concluded that two in five Android users worldwide were no longer receiving security updates.
It then tested five phones:
- a Motorola X
- a Samsung Galaxy A5
- a Sony Xperia Z2
- an LG/Google Nexus 5
- a Samsung Galaxy S6
Which? asked anti-virus lab AV Comparatives to infect them with malware - and it succeeded on every phone, creating multiple infections on some.
It said it shared its findings with Google but the tech giant "failed to provide reassurance that it has plans in place to help users whose devices were no longer supported".
The watchdog wants Google and others to provide far more transparency around how long updates for smart devices will be provided.
And it said the mobile industry needed to do a better job of giving support to customers about their options once security updates are no longer available.
Kate Bevan, Which? Computing editor, said: "It's very concerning that expensive Android devices have such a short shelf life before they lose security support, leaving millions of users at risk of serious consequences if they fall victim to hackers.
"Google and phone manufacturers need to be upfront about security updates - with clear information about how long they will last and what customers should do when they run out.
"The government must also push ahead with planned legislation to ensure manufacturers are far more transparent about security updates for smart devices - and their impact on consumers."
How to check whether your phone is vulnerable and what to do
- If your Android device is more than two years old, check whether it can be updated to a newer version of the operating system. If you are on an earlier version than Android 7.0 Nougat, try to update via Settings> System>Advanced System update
- If you can't update, your phone could be at risk of being hacked, especially if you are running a version of Android 4 or lower. If this is the case be careful about downloading apps outside the Google Play store
- Also be wary of suspicious SMS or MMS messages
- Back up data in at least two places (a hard drive and a cloud service)
- Install a mobile anti-virus via an app, but bear in mind that the choice is limited for older phones
BBC News