The American Civil Liberties Union filed a federal complaint Tuesday accusing the nation’s largest wireless carriers of “deceptive” business practices for failing to keep the software on tens of millions of Android smartphones updated — a shortcoming that can make the devices vulnerable to hackers.

Security companies have documented a surge of malicious software targeting Android phones, whose operating systems are made by Google, over the past year. Older phones that do not receive routine updates are particularly exposed, security experts say, yet the wireless carriers who sell most of the phones in the United States have struggled to keep the software current.

The problem has caused smartphones featuring Android, which is the most popular mobile operating system in the world, to be more vulnerable to hackers than those of its leading rivals, such as Apple’s iPhone, which receives regular software updates, security experts say.

Only one in four Android phones worldwide has the latest generation of the operating system, called Jelly Bean, according to statistics kept by Google, and more than 45 percent run on software first released more than two years ago. Older versions sometimes receive security patches provided by Google, though the process of delivering these to consumers is inconsistent across the dozens of different Android smartphones made by several major manufacturers.

The ACLU filed the complaint with the Federal Trade Commission, which has taken a lead role in overseeing the burgeoning technology industry and reached a settlement with smartphone maker HTC America in February over charges that it had failed to secure user information on smartphones.

Hackers continuously look for new ways to break into devices, and old software can expose consumers to risks for months or years after the problems were first discovered.

“We really feel this is like a defective product,” said Christopher Soghoian, principal technologist for the ACLU and a former official with the FTC. “The companies know about the flaws, so they should either recall the products or tell consumers so that they can make an informed choice.”

The complaint names the four largest wireless carriers — Verizon Wireless, AT&T, Sprint Nextel and T-Mobile USA — as parties but not Google, whose relationship with most consumers using Android phones is indirect.

The company makes the operating system available free to other companies, which typically sell the devices to consumers after tailoring the software to their specifications. The combination of companies involved — Google, the mobile device makers and the wireless carriers — has complicated efforts to keep updates flowing, according to those within the industry.

Google also sells its own line of smartphones and tablets, and those devices receive regular software updates automatically.

The ACLU complaint asks that the wireless carriers be required to alert consumers to the problem with the software updates or offer to replace outdated devices.

The FTC confirmed receiving the complaint but declined to comment on it. Investigations, if undertaken, can take a year or more before completion.

Some of the wireless companies issued statements Tuesday afternoon in response to the ACLU complaint.

“Verizon Wireless is focused on ensuring our customers have good experiences with their smartphones and tablets,” spokeswoman Brenda Rainey said, adding, “We work closely with [mobile device makers] and provide mandatory updates to devices as quickly as possible.”

“Sprint follows industry-standard best practices designed to protect its customers,” spokesman John B. Taylor said.

AT&T and T-Mobile made no immediate comment Tuesday. Google declined to comment.

Sign up today to receive #thecircuit, a daily roundup of the latest tech policy news from Washington and how it is shaping business, entertainment and science.