The latest version of Android — the one with the "smishing" fix — is used by just 1.2 per cent of the more than 500 million Android devices worldwide, according to data compiled by Google. The company says it also released a security patch that could repair the flaw in earlier versions of Android, but neither Google nor the wireless carriers could say how many current phones received the patch.
Ars Technica, a news site covering the technology industry, analysed the update schedules for dozens of the most popular Android smartphones in December and found that most had received only two updates since consumers bought them, sometimes years earlier.
Apple's iPhone, the leading competitor to Android smartphones, gets operating system updates several times a year. A similar update schedule is common to desktop and laptop operating systems and other software, with updates happening automatically — often with users not even knowing it.
What's different about the Android line of smartphones is that there are dozens of devices made by various manufacturers, such as Samsung, LG and HTC, that tailor the software and its updates to their own specifications. Then US wireless carriers, such as Verizon Wireless, AT&T and Sprint, make their own changes and test each update before sending it to consumers over their wireless networks.
The overall process typically takes months and happens far less frequently than recommended by security experts, who call the diffusion of responsibility among several companies "fragmentation." Blame, too, is spread widely, though often focuses on the carriers as the most important choke point.
"Supporting five releases of phones is a cost they absolutely don't want to incur," said Dmitri Alperovitch, chief technology officer for CrowdStrike, a security company.
Wireless carriers say they seek to release updates promptly, but they acknowledge that the process generally takes months.
"When more than one company is involved in delivering the final product, as is the case with the Android environment, any improvements in the security update process must include all entities involved," said Ed Amoroso, chief security officer for AT&T.
"We all have a collective interest for a fast and consumer friendly update process and we intend to coordinate with other providers to see if we can engineer a better solution than the one we have now."
Verizon Wireless, the largest wireless carrier, and Samsung, the largest Android device maker, both declined to answer detailed questions and said they deliver updates as quickly as possible. Sprint declined numerous interview requests, referring queries to Google.
But security experts say Google by itself has little power to get faster updates to phones. It founded the Android Update Alliance in 2011, along with carriers and device makers, but the initiative has produced little so far.
Sign up for Computerworld eNewsletters.