Less than two months ago, Duo Security released a DARPA-funded Android app called X-Ray, which looks for known privilege escalation vulnerabilities that could potentially give malicious apps access to root privileges on your device. Since launch, the company has already collected results from over 20,000 Android devices worldwide, and initial results show that over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or hacker.

The security app assesses how vulnerable your device is, instead of scanning for malicious apps like an antivirus app. X-Ray can identify known but still unpatched vulnerabilities that could be exploited to take full control of users’ phones. Given that carriers and device manufacturers take forever to roll out patches that fix security holes in the Android platform, this is a serious problem. Duo Security notes that “users’ mobile devices often remain vulnerable for months and even years.”

Given that Android has the largest market share in mobile, it’s not surprising that attackers are so interested in targeting the OS with malicious apps and hacks that exploit known vulnerabilities. Google unfortunately relies on its partners to push updates to Android phones and tablets, which leaves many using outdated and insecure software. On the other hand, Apple has a much better approach when it comes to releasing patches for iOS, the second largest mobile operating system: new versions are pushed to all users directly.

The “over 50 percent” number sounds scary, but I’m actually not too surprised given the latest Android operating system version breakdown. I mean, there’s bound to be unpatched vulnerabilities because most updates just aren’t offered, let alone installed by users.

Duo Security agrees: “We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.” One must remember the demographic that is installing this app. On the one hand, those are those who care more about security, and therefore make a point to install patches. On the other hand, there are those who think there is something wrong with their device, either because it’s malfunctioning or infected, and want to check how bad the situation is.

“I’ll be presenting the full details later this week (Friday) at the United Summit conference out in San Francisco,” Duo Security CTO Jon Oberheide told The Next Web. Unfortunately, Rapid7‘s United Summit costs $1,395. Thankfully, the full details (including full results, statistical methodology, and the future of X-Ray) will be posted next week for free, and The Next Web will update you when they are.

Image credit: stock.xchng

Read next: Google and Khan Academy launch contest to bring new forms of education to YouTube