As with Windows XP on the desktop, KitKat is the aging version of Android that just won't go away. An analysis of around one million enterprise and business users in the US by security firm Duo Security has found that a staggering third of Google devices from its customer base of several thousand are still running versions 4.0 or below, which means they haven't been updated for several years.
Another 14 percent were stuck on Android 4.4.2, nine percent on 4.4.4, which means that over half are using images that date back to the three years before October 2014 when Android 5.0 Lollipop made its appearance.
Often-voiced worries about Android's fragmentation have tended to centre on its effect on consumers but these figures offer a glimpse into the potentially more serious issue of what out-of-date mobile software could silently be doing to enterprise security.
Android and the enterprise 2016 - Stagefright
There are two problems. Any device running KitKat will be vulnerable to serious security issues such as the Stagefright flaw that emerged in August 2015 (see below), a potentially big hazard for the enterprise networks they connect to. Second, and perhaps worse, because such devices will never be updated, they will always be vulnerable to this flaw until they day they are de-commissioned, possibly years in the future.
According to Michael Hanley of Duo Security, the culprit is complacency about Bring Your Own Device (BYOD), a fashionable model of self-provisioning that has brought with it the problem that the user chooses the device, not the business.
It's a model in which IT departments don't feel inclined to ask people to upgrade even when they understand the risk of older devices.
"Most IT shops can't say 'don't use that device at all'. It's what the user has. It's what ends up being used for business use. It is too much to ask expect them to bring in a Nexus 5X or 6p," says Hanley.
There is no easy answer to BYOD on Android, despite the best efforts of vendors to come up with a separation between inside devices between personal and business data through developments such as Samsung's Knox. Android remains an inherently fragmented platform, not only at OS level but in terms of the number of distinct devices that had to be secured.
Hanley and Duo estimate that while around two thirds of the mobile devices used by its customers were a range of Apple models, that still left 3,700 individual products from two dozen or more vendors in the Android space.
The firm's figures show that Samsung is currently the most common with 57 percent of devices, with LGE (including Google's Nexus range) on 13 percent, Motorola also on 13 percent, with HTC and Sony on 6 percent and 3 percent respectively.
Sign up for CIO Asia eNewsletters.