A new study by two-factor authentication firm Duo Security has found similar results, although in addition it found Android users aren't enabling available security features to protect data on their devices.
The company reports that just one in 10 Android devices has enabled pre-boot passcode device encryption, though this may change as more Android 6.0 devices are released.
Google updated its compatibility policy for OEMs to require they enable full-disk encryption by default out of the box, although according to Google's distribution figures, just 0.7 percent of devices are running Android 6.0.
An easier protection to enable, which is often ignored by Android owners, is the passcode on the lockscreen. According to the firm, one-third of Android devices don't use a passcode to secure their lockscreen. By comparison, only one in 20 iPhones fails to have the lockscreen enabled.
Android's operating system fragmentation problem has long been a source of criticism by security-minded observers and, as Duo Security highlights, this feature of the ecosystem poses a risk to users.
For example, it points out that 32 percent of Android devices are running version 4.0 and below, which makes them more vulnerable to Android's Stagefright media library bugs since they lack key exploit-mitigation defences available in new versions of Android.
Given that it still may be some time before Google, carriers, and device makers fix Android's fragmentation and patching problems, Duo Security recommends businesses encourage employees to use Google's Nexus devices over all other Android handsets -- advice that Samsung fans with BYOD smartphones would not like to hear.