The situation is similar for enterprise apps which would be classified as coming from unknown sources, he says.
The speed with which attackers jumped on the initial Android master key flaw was impressive, he says. It took 17 days between the details being released publicly to finding an exploit in the wild. That's pretty fast, but the attackers may have known the details earlier and been working on their exploit ahead of the public announcement.
It took only seven days between when details of the original exploit were revealed and when other, similar bugs were discovered in different places, he says.
An obstacle to clearing up these problems is that service providers who sell Android phones to customers must issue patches to the operating systems and how quickly that is done and whether it is done at all varies from carrier to carrier.
Sign up for CIO Asia eNewsletters.