Android handset makers’ failure to deliver timely security updates leaves almost everyone open to attack.

That’s among the conclusions of a study from Cambridge University that sought to quantify just how bad the Android security situation had become.
To compile the data, the group of researchers published a Data Analyzer app to the Google Play Store. Along with giving a lot of people the ability to participate, it ensured that phones without Google Play services that are targeted at emerging markets weren’t calculated into the results. As a result, the team acquired data from 20,000 different Android devices, with most being from major manufacturers like Samsung, LTG, HTC, and Motorola. You can download and run the app yourself to give the team more data to work with.

The Stagefright vulnerability demonstrated how quickly one security issue could threaten a ton of devices. That’s because Android updates run into a bottleneck. After Google releases a new version or security fix, the manufacturers have to incorporate it into their own split-off versions of the Android OS before spiriting it off to your device. It’s even worse with carrier-branded phones, as the carrier must also test and approve the updates before they come to you. This contrasts sharply with how updates work on iOS. Apple pushes a button, and it heads right to everyone’s iPhone.