Shaming carriers and smartphone manufacturers into applying patches faster is a step forward, but a lot more needs to be done to improve security of the Android platform, security experts say.
Last month, Bloomberg, citing unnamed sources, reported that Google is considering releasing a list of vendors ranked by how up-to-date their headsets are.
This has long been a problem for Android. Unlike Apple, which can unilaterally push out updates to its customers as they come out, the situation with Android is a lot more complicated.
When a patch comes out, only Nexus phones get them automatically, said Kyle Lady, research and development engineer at Duo Security.
"If it isn't a Nexus phone, the manufacturer has to apply the patch to the software, then send it to the carrier, who has to approve it, and send it to customers running that phone," he said. "So there's a substantial delay."
For example, 60 percent of Android phones still don't have a patch for the QSEE exploit, even though the patch came out in January.
"There are way too many devices in the wild left completely unprotected from well-known, high severity exploits," said John Michelsen, chief product officer at Zimperium. "Manufacturers have a responsibility to provide important updates to the Android platform as soon as possible."
It's not just patches that aren't being distributed to the phones in a timely manner.
The Android 6 "Marshmallow" operating system, released last October, is currently only on 7.5 percent of Android devices.
"The older version of Android may have vulnerabilities that are not being patched by the OEM," said Kia Behnia, CEO at mobile security firm PowWow Mobile. "Google and OEMs must have a better model for updating those older devices for both security and usability reasons."
And some Android phones never get any patches or updates at all.
"According to Google’s own report, a large portion of Android users -- over 30 percent -- never receive security updates," said Michael Shaulov, head of mobility product management at Check Point Software Technologies. "This leaves users defenseless against malware."
Putting pressure on manufacturers is a good step, he added.
"I’m not sure there’s much Google can do," he said.
For example, many manufacturers have customized the interfaces to better appeal to their users, he said, since many customers prefer customization to security. And carriers also add bloatware. All this customization slows down the patch process considerably.
Arian Evans, vice president of product strategy at security firm RiskIQ, agreed that Google's new tactic could be a move in the right direction.
"Hackers are increasingly using mobile as a new attack vector, using trusted brands with a high-profile public presence or associated with valuable data as lures to deceive end-users and steal sensitive information and taking advantage of relatively immature security practices in the mobile channel to conceal fraudulent activities," he said.
Sign up for Computerworld eNewsletters.