The Wall Street Journal is reporting that Google has stopped shipping security fixes for Android devices that operate on Android versions 4.3 and earlier.
Dubbed Jelly Bean, version 4.3 was released on July, 2013, updating phones that had originally shipped with 4.1 and 4.2. Devices with Android versions 4.4 (KitKat) and newer are not affected by this policy.
According to the WSJ, about two-thirds of all Android phones currently active in the world are now potentially susceptible to security vulnerabilities that can compromise the device owners privacy and potentially lead to viruses and malware being installed on the device.
What this means in the real world is that anyone using an older Android device needs to get a new phone (the carriers and Google LOVE this option) or attempt to update their phone to the newest OS (the carriers HATE this option), because the out of date phone poses a privacy and security threat not only to the owner of the phone, but also to everyone around that person, potentially even compromising the security of their employer.
When Google stops shipping security and bug fixes for these devices, this means that known vulnerabilities can be exploited by hackers and others with ill intent, stealing personal, private data and/or turning the phone into a node for a giant botnet.
Many carriers and manufacturers exacerbate the problem by not shipping or even allowing system updates to their phones, so it is incumbent upon each individual Android user to investigate their phone to ascertain the vulnerabilities it may contain and take appropriate steps to mitigate the potential risks involved.
Google doesn't provide update instructions directly, but you can check your device on your cell phone carrier's website: