According to Cheetah Mobile researchers, Ghost Push, a malware instance which has been crowned as the most prolific is still infecting devices two years after it was first discovered.
Android's fifth version, Lollipop, is still vulnerable to the attack and is currently in use by roughly 57 percent of all Android-based devices.
Remaining unaffected are Android's sixth version, Marshmallow, and the recently released seventh, Nougat, which together are in use by roughly 10 percent of Android devices.
Cheetah said that most infections come from malware-infected installations of pirate and open source apps, not from the Google Play store, and has advised that Ghost Push spreads through pornographic websites and deceptive advertising.
The researchers said in a blog post, "So far, this Trojan family represents most infections," adding that, "[The Trojan] is able to root almost all Android versions except for Android 6.0. The Trojan also leverages the SU files of several different parameters which are able to prevent other third parties from gaining root privilege."
Cheetah Mobile gave an example of an app – MXplayer – which is a legitimate file explorer application hosted on the Android XDA forums. The app itself is popular because of its lack of adverts and features common in equivalent Google Play apps.
The advice to users is to update devices to the latest version of Android as soon as new updates are released. Those with devices abandoned by their phone manufacturers – typically 18 months after devices leave retail shelves – should consider running third-party ROMs which are often updated weekly and run a purer strain of Android.