Almost 90 percent of Android smartphones are vulnerable to malware, according to a 2015 study. It is not because of something that their owners are doing or not doing. Rather, these phones are vulnerable because they have not received regular security updates.

The study found that Android devices receive only 1.26 updates per year on average, even though Google issues monthly security releases for the open-source Android software. As a result, these devices are vulnerable to cyberattacks.

Why the Problem Exists

Why aren’t the monthly security updates reaching Android smartphones? The problem mainly lies with the complicated patching process, which often involves Google, the device manufacturers, and the cellular carriers. After Google provides an update, the device manufacturers must incorporate the changes into the firmware for each smartphone model they offer. This stage can be complex because a model’s firmware can have hundreds of variations to support the customizations made by the cellular carriers. After testing the updated firmware for each variation, the device manufacturers send the various versions of the updated firmware to the cellular carriers. The carriers then test the updated firmware for the smartphones they offer, making sure the changes will not cause any problems. If they approve the updated firmware, they push it out to the phone users.

This complicated patching process often leads to phones being left vulnerable for a long time. For example, Google created a patch for the Stagefright security hole within 48 hours of finding out about it in April 2015. However, the slow patching process caused some users to remain vulnerable for six or more months, according to one report.

To complicate matters further, Google, device manufacturers, and cellular carriers are reluctant to update older smartphones. The smartphone market changes rapidly, so they prefer to spend their time and money on developing new devices rather than fixing old ones.

Some Smartphone Manufacturers Are Attempting to Fix the Problem

The Stagefright exploit helped highlight the problem with the patching process, prompting some device manufacturers to improve it. For instance, Google has committed to issuing monthly security updates for its Nexus devices. Google manages the development, marketing, and support of these devices, so there are fewer players in the patching process. LG has also committed to issuing monthly security updates to carriers and is encouraging them to make the updates immediately available to customers.

Samsung has created a fast-track patching process for security vulnerabilities so that security updates take place regularly (about once per month). However, this process is only being used for its newest devices. A lawsuit filed by Consumentenbond (Dutch Consumers’ Association) in January 2016, though, might prompt Samsung to apply the fast-track patching to older devices as well. Consumentenbond is suing Samsung because it does not provide updates for most of its devices. Moreover, the lawsuit claims that Samsung provides insufficient information about critical security vulnerabilities and when customers can expect to receive software updates.

Like Samsung, HTC is attempting to push out security updates regularly. However, HTC president Jason Mackenzie says that monthly updates are unrealistic because it has fewer resources than large device manufacturers. Plus, he believes that cellular carriers will give HTC updates less attention because HTC has fewer phone sales.

Cellular Carriers Also Need to Improve

Device manufacturers are not the only ones that need to work on fixing the problem. Cellular carriers have to shorten the time it takes to get Android updates through their approval processes. This might take some persuasion, though, since they have had little incentive to get them to users quickly in the past. Carriers usually control when Android updates are released to users, so there is no external pressure to get them through in a timely fashion.

The situation is even worse when security updates are part of an operating system upgrade. Many cellular carriers have a compelling reason to drag their feet in getting these upgrades to customers. To get customers to renew their contracts, carriers often dangle the carrot of getting a brand new phone. A new phone will likely be less tempting to a customer who has just received an operating system upgrade on his or her existing phone.

What You Can Do

It will likely take a while for the security update problem to be resolved. In the meantime, you need to take the axiom “let the buyer beware” to heart. The next time you are in the market for a new Android smartphone, it would be a good idea to compare more than just features. For each device you are considering, check with the device manufacturer and cellular carrier to see how often security updates and operating system upgrades will be available. In addition, do some research to see what other customers or consumer groups are saying about the device’s patching process.