A security researcher has discovered a way to take over roughly 70 percent of Android devices via a Web page or app. It’s not known if anyone’s actually using the exploit to attack people’s phones, but the researcher’s findings are nonetheless a reminder that Google faces a growing headache because it lacks any way to effectively distribute security updates to the hundreds of millions of devices running its software worldwide. Many of those devices have outdated versions of Android.

The new exploit was developed by Joe Vennix, a software engineer at security company Rapid7, who last week added the exploit to the company’s Metasploit software used to test devices and systems for known vulnerabilities. His code makes use of a bug, first disclosed in December 2012, in the Web browser built into Android. The exploit could be used to take over a phone after directing someone to a Web page with the malicious code embedded, or by delivering the code via an app, many of which display content such as ads using Android’s browser capabilities. Vennix found that one Baidu app, for example, was vulnerable to the exploit when installed on a device using the version of Android released in December 2013. Another researcher found that the exploit works on Google Glass.

Vennix estimates that 70 percent of Android devices are vulnerable to the exploit, based on Google’s figures for the proportion of devices running different versions of Android. And crucially, although Google released a new version of Android with a fix for the underlying bug in November 2012, most devices running the software will likely remain vulnerable to the attack for as long as they remain in use because they will not be updated.

Google has convinced many manufacturers to install Android on their products, but few are quick about rolling out new versions of the software. Nor does Google have any mechanism to push updates directly to devices, such as those built into desktop operating systems including Microsoft Windows or Mac OS.

That limits Google’s ability to push out new features and security patches to devices running its software. The company’s had little success addressing the problem so far. In May 2011, for example, Google announced the Android Upgrade Alliance, under which wireless carriers would roll out Android updates quickly for the first 18 months of a device’s life. But the project foundered and is no longer active. Google didn’t respond to a request for comment.

More recently, Google has sought to sidestep carriers by shifting some functions of Android into separate apps, which can be updated by users via the company’s Play app store. YouTube, Gmail and Google Search, for example, used to be built into the Android software but are now separate apps; Google can push feature updates and security fixes to these apps without having to work with any other company. In the most recent versions of Android, the built in browser code is hidden away from users who instead use a mobile app version of Google’s Chrome desktop browser.

However, that approach doesn’t cover the core of the Android software, and it can’t fix the bug discovered by Rapid7. Dirk Sigurdson, director of engineering for Rapid7’s product to protect mobile devices, Mobilesafe, says that devices bought from companies other than Google can’t be considered secure. “The best bet for now is to buy Google Nexus or Google Play edition devices, which are much more quickly updated with the latest Android releases,” he says.

Over a billion Android devices have been activated since the software launched in October 2008, according to Google. Android devices are hardly plagued by malware to the extent that PCs are, and the use of app stores helps limit the spread of malicious code. Even so, the incidence of malware is growing and expected to get significantly worse (see “Attacks on Android Intensify” and “New Business Models for Malware to Bring PC Security Woes to Mobile”).

After Microsoft’s Windows operating system fell victim to a wide range of malware, the company established a system whereby security updates were continually developed and rolled out to PCs. Apple uses a similar model to keep its mobile devices updated. In September, for example, only a week after a bug was discovered that allowed someone to bypass an iPhone’s lock-screen, the company rolled out a fix.

That approach could help Android, too, says security consultant Graham Cluley, but it is unlikely to be attractive to Google because of how it gives away Android for free and allows device manufacturers and mobile carriers to modify the software. “The fundamental problem, I suspect, is that they don’t control the hardware and software,” he says. “Even though all these devices are running Android, they run different tweaked versions with different UIs and add-ons.”

One reason that companies don’t pass along Google’s updates to Android today is that it takes work to ensure those tweaks still work correctly on a new version. Automatic updates could break a company’s own Android modifications, says Cluley.