In at least one instance, Google's Project Zero found an RCE vulnerability that could be triggered by just being nearby.
More common exploits target things like the GPU drivers. They require code execution on the device (i.e., an app you've downloaded) but they can be an easy path to root access for attackers targeting specific devices.
Realistically, people use phones long beyond their official software support lifetime. Plenty of unhacked phones going around still running Android 8. Android's fragmentation makes it hard to write a one-size-fits-all exploit chain like on you can on iOS.
Just make sure to only run apps from sources you trust and to update your browser, and I'm sure you should be fine for another few years.
If you want to, you can run ROMs like LineageOS. They won't fix the binary blobs, but they'll patch the open source version of Android and keep you up to date in that regard. My phone stopped receiving updates after an Android 11 update and now it's running last week's Android 13 build, patching a whole bunch of Android runtime vulnerabilities. Many phones in use today are vulnerable to a zero-click Bluetooth exploit that would be fixed by installing LineageOS or something similar to that. The newer Android version also provides me with all of the privacy improvements that have been made in Android 12 and 13. I'm hopeful that it'll run Android 14 as well, though depending on a volunteer project isn't a guarantee of course.
In theory my phone could probably be hacked quite easily though the outdated GPU drivers, but in practice I don't think I'm at that great a risk unless I try to start pirating games or something.
More common exploits target things like the GPU drivers. They require code execution on the device (i.e., an app you've downloaded) but they can be an easy path to root access for attackers targeting specific devices.
Realistically, people use phones long beyond their official software support lifetime. Plenty of unhacked phones going around still running Android 8. Android's fragmentation makes it hard to write a one-size-fits-all exploit chain like on you can on iOS.
Just make sure to only run apps from sources you trust and to update your browser, and I'm sure you should be fine for another few years.
If you want to, you can run ROMs like LineageOS. They won't fix the binary blobs, but they'll patch the open source version of Android and keep you up to date in that regard. My phone stopped receiving updates after an Android 11 update and now it's running last week's Android 13 build, patching a whole bunch of Android runtime vulnerabilities. Many phones in use today are vulnerable to a zero-click Bluetooth exploit that would be fixed by installing LineageOS or something similar to that. The newer Android version also provides me with all of the privacy improvements that have been made in Android 12 and 13. I'm hopeful that it'll run Android 14 as well, though depending on a volunteer project isn't a guarantee of course.
In theory my phone could probably be hacked quite easily though the outdated GPU drivers, but in practice I don't think I'm at that great a risk unless I try to start pirating games or something.