Google, Inc. has released its second annual Android Security Report, revealing that although there are compromised Android devices out there, the number is not only small, but decreasing.

The report details that Google now scans a remarkable 6 billion installed applications per day for malware and other potentially harmful apps, and protects users from network-based and on-device threats by scanning 400 million devices per day.

While those numbers are focused on Google protecting devices from harmful apps post them being install, the company is also focused on making it more difficult for unsafe apps to be made available on the Google Play Store to begin with.

In terms of nefarious apps, the numbers sneaking into the Play Store to begin with are down year-on-year, with data collection apps decreasing by over 40 percent to 0.08 percent of installs, spyware infected apps decreased 60 percent to 0.02 percent of installs, while apps infected with a hostile downloader decreased 50 percent to 0.01 percent of installs.

The total figures come out at potentially harmful apps being installed on fewer than 0.15 percent of devices that only get apps from Google Play; that said the figure increases for Android devices that install apps from third-party app stores or sites directly, although in the scheme of things it’s still not a huge number: a 0.5 percent infected rate.

Unpatched devices

Although the aforementioned numbers are great for Google, the report also highlights the biggest flaw in the Android ecosystem, and that’s the broken upgrade path, where upgrades don’t come from Google itself (except for Google Nexus devices) but instead rely on the manufacturer of the phone or the telco an Android owner is using.

29 per cent of mobiles and tablets running Android were found to be running out-of-date code, or putting it another way only 71 percent were running Android 4.4.4 or better.

As The Register points out, that means that based on there being 1.4 billion Android devices in use, 400 million Android devices are vulnerable to being attacked.

Google has still done nothing to fix Android’s broken upgrade model and even Android’s latest incarnation, Marshmallow 6.0, still relies on handset manufacturers and/or service providers to push a security update out over the air; yes, there are logistical problems as Android itself needs to be customized for a particular device, but surely there should be some way to separate the parts of Android needs for the specific device versus the parts that are required for security.

A full copy of the report can be downloaded here (pdf).

Image credit: uncalno/Flickr/CC by 2.0