We already know that Android handset makers don’t always deliver security updates in a timely way – Google has only recently started issuing regular security updates for its own Nexus devices.

But the number of unsecure Android devices out there is truly astonishing, according to research from the UK’s University of Cambridge – 87% of Androids are exposed to at least one known critical vulnerability.

Android device buyers – be they consumers, businesses or governments – often don’t have any guidance on which device models are getting security patches or on what kind of timetable, researchers Daniel Thomas, Alastair Beresford, and Andrew Rice note in a new paper.

One example the researchers found is CESG – the information security arm of the UK’s Government Communications Headquarters (GCHQ) – which advises the government on securing its computer systems.

CESG recommends choosing Android devices from manufacturers who are good at promptly shipping security updates, but it doesn’t say which manufacturers those might be.

The lack of data leaves us stuck with what the researchers call a “market for lemons”:

The difficulty is that the market for Android security today is like the market for lemons: there is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive security updates, and the customer, who does not.

Not all device manufacturers are equally lagging in patching devices.

The study found that Google, LG, and Motorola far outperformed Samsung, HTC and Asus.

Nexus devices do considerably better, and LG is the best manufacturer of all.

Still, few devices are promptly updated: the study found that, on average, a device receives 1.26 updates per year, leaving them unpatched for long periods.

Data collected from 20,400 Android devices with the university’s Device Analyzer app installed revealed that 87% of Android devices were vulnerable to at least one of 11 known, critical bugs, including the TowelRoot and FakeID vulnerabilities discovered in 2014.

Device manufacturers are finally beginning to address the problem of lagging updates.

Stagefright – the nasty security hole in Android disclosed in July – soon thereafter scared Samsung and Google into announcing that they’ll both push monthly security updates for Androids.

As we saw with the Stagefright fracas, handset makers package Android software along with their own software, and Google has left it to the vendors and carriers to get updates out to users.

That means Android users typically get security updates months late, if they ever get them at all, because Samsung or T-Mobile or fill-in-the-blank vendor or carrier gets bogged down in wrapping its own software around a given security fix.

For its part, HTC has said that monthly updates are “unrealistic” due to a bottleneck at the carrier testing stage: HTC says that Android’s hardware partners take Google’s security fixes, wrap their own software around them, and then rely on carriers to approve and push out the updates.

But the Cambridge researchers noted that the bottleneck for the updates is really the fault of the manufacturers, who “fail to provide updates to fix critical vulnerabilities.”

The researchers are hoping that by quantifying the problem, they can help people choose a more secure device and that consumers’ buying power will “provide an incentive for other manufacturers and operators to deliver updates.”

Follow @LisaVaas
Follow @NakedSecurity

Image of broken robot courtesy of Shutterstock.com.