It's a known truth that most Android vulnerabilities don't get patched. It's not Google's fault. It releases the patches, but the phone carriers don't push them down to their smartphone users. Now the Federal Communications Commission and the Federal Trade Commission are investigating, sending letters to major carriers and device makers. I think this is a good thing. This is a long-existing market failure, and a place where we need government regulation to make us all more secure. https://threatpost.com/aclu-asks-ftc-to-investigate-carriers-lack-of-android-security-updates/99768/ https://threatpost.com/fcc-ftc-investigate-mobile-security-update-practices/117972/ https://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0509/DOC-339256A2.pdf https://www.ftc.gov/system/files/attachments/press-releases/ftc-study-mobile-device-industrys-security-update-practices/160509mobilesecuritymodelorder.pdf