A lot of that discrepancy stems from what Google can do to clamp down on malware outside its own walls. Google Play already had screening to prevent hostile apps from getting through, and Google says that it reduced the chances of installing those apps by 40 percent last year alone. There are security measures beyond the store (such as post-install app verification), but they're limited -- the same freedom that lets you use non-Google Play apps also lets people write malicious apps that Google can't always catch. Many third-party app stores can't or won't screen as thoroughly.

Things should get better this year. Google's monthly security updates are increasing the likelihood that you'll be safe against attacks, even if the patches don't always arrive on time or on every device. Also, the rising adoption of newer Android flavors (namely Lollipop and Marshmallow) both gives Google more control over web code and increases the odds of spotting suspicious behavior before it's too late. You'll know that these were effective if next year's security report is all sunshine and roses.