According to Google's new Android ecosystem transparency report, you're eleven times more likely to be infected by malware if you're running Android Lollipop (5.0) as opposed to Android Pie (9). The same report shows that if you sideload apps, you're almost seven times more likely to be infected than if you stick to Google Play as your app source. All of the data provided in the report is quite interesting, but there's a clear pattern among malware-infected users.
Google calls malware PHAs, or potentially harmful apps. This distinction means the same app could be potentially harmful on one Android version, but entirely innocuous on another version. For instance, an app that attacks older APIs is potentially harmful if your device is running an older Android version like Lollipop, but if you installed the same app on a phone running Android Pie, new security measures could have rendered it completely safe.
Looking at the chart above, you may be thinking the lower infection rates are a byproduct of fewer people running the new Android versions. But these are percentages of devices infected by malware, so total number of users has no impact. The Lollipop PHA rate is 0.66%, while the Pie PHA rate is 0.06%.
The difference in PHA rates is almost as staggering when you only look at people who install apps from the Google Play Store and compare them to people who also sideload apps from external sources. Google Play users are infected at a rate of 0.09% globally, while sideloaders are infected at a 0.61% clip.
Google went on to compare PHA infection rates by country, and the results are surprising. Indonesia and India (gold and green lines, respectively) had the worst rates at 0.65%, but the United States (black line) was third-worst at 0.53%. You'd think with the US being one of the world's richest countries that there would be more flagship Android phones per capita than other countries, and with flagship phones generally receiving updates more often than budget phones, people would be more protected on the newer Android versions.
We can only speculate here, but the reason for the high PHA rates in the US could be twofold: More instances of sideloading apps per user, and more phones from OEMs with bad Android update track records.
With Samsung being notoriously slow for Android updates, they have to share some of the blame for the poor malware rates in the US. They're by far the most common Android brand in the US, and they're one of the few manufacturers who still haven't updated a majority of their recent devices to Android Oreo, an OS upgrade that was made available 15 months ago.
While there's nothing you can do about a phone that isn't receiving updates (aside from rooting and installing a custom ROM), you can certainly improve your security by being vigilant about sideloading apps. If you must sideload, at least make sure to only download APKs from trusted sources like APKMirror or a dependable developer's official website.