You need to stick to Google Play for apps and run as recent a version of Android as possible if you want to lower your risk of ending up in the crosshairs of malware-touting miscreants, according to the findings in a report from none other than Google.

While you were unlikely to fall off your chair at reading this, it’s still worth examining the underlying data, as available in the company’s all-new Android Ecosystem Security Transparency Report.

Google says that 0.09% of Android-powered devices that installed apps only from the official app repository in 2017 were compromised with at least one Potentially Harmful Application (PHA), which is Google’s term for mobile malware.

This share dropped further, to 0.08%, in the first three quarters of 2018. With Android’s 2-billion user base, this still amounts to 1.6 million devices.

At any rate, the devices that installed apps from outside the official Android storefront were far more likely to “contract” a PHA – 0.82% in 2017 and 0.68% in the first nine months of 2018.

“Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources,” reads Google’s own summation.

The report covers “how often a routine, full-device scan by Google Play Protect detects a device with PHAs installed”. Built into every Android device, Google Play Protect “scans over 50 billion apps daily from inside and outside of Google Play”, says the tech behemoth.

Out with the old, in with the new?

Potentially harmful application rate by Android version (source: Android Ecosystem Security Transparency Report)

Another key finding to emanate from the report is that, for all intents and purposes, the newer your Android version is the likelier you are to avoid being compromised by malware. This has been the case especially since Android Lollipop (5.x) was launched back in November 2014, with the PHA rate falling consistently from 0.66% for that version to 0.06% for Pie (9.x), released in August 2018.

“Newer versions of Android are less affected by PHAs. We attribute this to many factors, such as continued platform and API hardening, ongoing security updates and app security and developer training to reduce apps' access to sensitive data,” reads the report.

To put things into perspective, however, the share of devices running one of Android’s latest two versions – Oreo (8.x) and Pie – remains low, as shown by Google’s own data as of October 26, 2018. In fact, on distribution of less than 0.1%, Pie has yet to get a piece of that pie (chart).

Meanwhile, nearly one in every three Android-powered devices run either Lollipop or one of the platform’s even older versions.

This, of course, has to be considered (among other things) against the backdrop of the glacial pace at which many mobile phone manufacturers deliver software updates to Android users – provided that they deliver them at all, of course.