Security firm says the 750 million endangered by recent bug could be better served by device makers and carriers.
Mobile manufacturers and carriers are putting Android users at risk through poor patching, according to security firm McAfee.
McAfee issued a blog post after a recent bug letting hackers bypass the Same Origin Policy feature on an old Android web browser is thought to have exposed 750 million of the operating system’s users to email hijacking and other data snatching.
Gary Davis, chief consumer security evangelist at McAfee, said: "But lack of updating isn’t entirely the fault of Android users."
"In fact, the problem largely resides with the various phone manufacturers and mobile phone carriers who aren’t always so quick to release critical updates."
Hackers were found to be able to sneak past the Same Origin Policy to allow elements from one website to access another, in what has been called "a privacy disaster" by security firm Rapid7.
Though users of Android 4.4, the latest version, are thought to be unaffected because they use the new browser Chrome, three-quarters of Android users are running previous editions of the operating system.
A spokesman from Google told CBR: "We have reviewed [the original] report and Android users running Chrome as their browser, or those who are on Android 4.4+, are not affected.
"For earlier versions of Android, we have already released patches."