SAN JUAN, PUERTO RICO - There are millions of vulnerable Android phones in the hands of consumers today because wireless phone carriers and phone hardware makers refuse to transmit existing software security fixes to phones in a timely manner, according to a security researcher.

Unlike phones made by Apple, which has power over carriers and controls the distribution of software updates to its phones, Android users can't get an update to their phones without the carrier's intervention, notes Chris Soghoian principal technologist and senior policy analyst with the American Civil Liberties Union. "The phones have to contact a server run by the carrier in order to get an update."

As a result, Android users are slave to the update schedule of wireless carriers or the hardware makers, who can take a year or longer to distribute new firmware updates containing fixes to phones.

"When Apple decides that it's going to give a security update to consumers or a feature update, every consumer who plugs their phone into their computer gets the update whether or not their respective regional carrier likes it," Soghoian said, speaking at the Kaspersky Security Analyst Summit.

But with Android, "you get updates when the carrier wants it and when the hardware manufacturer wants it, and usually that's not very often."

Research released by DuoSecurity last September found that half of sampled Android devices had unfixed vulnerabilities, even though there were patches from Google that were available for them. There are over 100 million Android devices deployed worldwide

Hardware makers are slow to provide fixes to vulnerabilities because it's not cost-effective for them. When Google updates Android, engineers have to modify it for each phone or chip that relies on the operating system, which is time-intensive and takes away from the work engineers would rather spend developing new versions of the phone.

Although Google is quick to fix vulnerabilities in its software when it finds out about them, there is a dangerous lag in getting those fixes to Android users, he noted.

"This is not an instance where I'm criticizing Google for not fixing the bugs," Soghoian said. "Google's team will usually fix it very promptly and make it available to all of their hardware partners. The problem here is that fixes for critical security vulnerabilities are simply not getting downstream and reaching consumers."

The carriers and hardware makers blame each other for the delays, but the bottom line is that consumers are left with outdated and vulnerable devices, Soghoian said.

"You don't need [a zero-day exploit] to attack most Android devices if consumers are running 13-month old software," Soghoian said.

Soghoian said that carriers either need to accept responsibility for the devices they're selling or cede control of updates to Google.

But he said this is likely not to happen unless the government applies pressure.