A security flaw has made it easy for scam artists to send phony text messages to Android phones with help of a security flaw, a report has said.
In late October, researchers at North Carolina State University alerted Google to a practice called "smishing" that can ensnare consumers in fraud.
Google's security officials confirmed the flaw and promising to correct it.
Within days they had incorporated a fix into the latest version of the Android operating system, Jelly Bean 4.2, and made available a security update for earlier versions.
But for most Android phones, the fix never arrived, and for many, it never will, the Washington Post reports.
That is because it is not clear which company, Google, the smartphone maker or the wireless carrier that sells it, bears ultimate responsibility for the costly process of getting security updates to an Android device.
According to the paper, fixes to known security flaws can take many months to reach individual smartphones, if they arrive at all.
Security experts said that the problem has contributed to making the world's most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software.
Breaches remain more common on traditional computers than on smartphones, which have been engineered to include security features not found on desktop or laptop machines, experts added.
The report pointed out that if there was a major outbreak of malicious software, the fractured nature of the system for delivering updates could dramatically slow efforts to protect information carried on Android phones, including documents, passwords, contact lists, pictures, videos, location data and credit card numbers.