Despite Google making many improvements in the Android security ecosystem recently, safety remains a huge issue for it. According to Google's android security report, the changes made by it has helped to fight the security bugs, but almost half of the android devices haven't received a single security update in 2016.
One of the main issues Google has been fighting over the years is the way security patches are delivered to the users. While Google directly distributes updates to the Nexus and Pixel devices, it is up to the carriers and other manufacturers to send updates to their customers. Only a few phone makers like Samsung and LG send monthly updates to some of their devices on the release date itself.
Most of the manufacturers deliver the updates way later, if not at all. "We launched our monthly security updates program in 2015, following the public disclosure of a bug in Stagefright, to help accelerate patching security vulnerabilities across devices from many different device makers," Mel Miller and Adrian Ludwig from the Android security team wrote in the 2016 Android Statistics post.
Also, many users tend to install apps from third-party markets that don't have proper security control like Google Play. So it becomes difficult for Google to protect its users from PHAs and malicious apps.
The good news is, according to Google, only 0.05 percent of all Android devices that downloaded apps from the official Play store had a harmful app installed at the end of 2016.