The security updates Android manufacturers regularly roll out aren’t what they seem, according to a report from Wired. Apparently, companies are lying to their users, saying their phone’s firmware is fully up to date, when in fact it’s not.

Karsten Nohl and Jakob Lell of Security Research Labs revealed two years’ worth of research, in which the duo reverse-engineered operating system code from 1,200 Android devices. What they found was troubling, per Wired’s report:

In many cases, certain vendors’ phones would tell users that they had all of Android’s security patches up to a certain date, while in reality missing as many as a dozen patches from that period—leaving phones vulnerable to a broad collection of known hacking techniques.

Even some of today’s biggest manufacturers, including Samsung, Motorola, Sony, and HTC, misrepresented what security patches were available on its devices. The only company that hasn’t misled users is Google, which is another reason to own a Pixel 2 or Pixel 2 XL.

Other lesser-known companies like TCL and ZTE were particularly deceptive, missing more than four patches they’d claimed to have rolled out to users, according to Wired. In a few rare cases, Sony and Samsung missed a patch or two “by accident.”

“We found vendors that didn’t install a single patch but changed the patch date forward by several months,” said Nohl. “That’s deliberate deception, and it’s not very common.”

The problem isn’t just the deception, but the position it puts users in. There are over two billion Android devices on the market right now, which means millions are vulnerable to hacks without the latest security updates. And even when users think they do have the latest security update, there’s a chance they’re being lied to.

In response to the research by Nohl and Lell, Google released a statement, which you can read below:

We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.