For the second year running, Google has released its annual report on the state of Android security, and like last year, there are some arresting headline figures. These include Google saying it now scans six billion Android apps every day on smartphones around the world to look for dodgy apps (known as Potentially Harmful Apps or PHAs, in Google's parlance). The company says this entails scanning 400 million devices daily, although it's not quite clear whether these are automated scans, those initiated by the user, or a combination of both.

Overall, though, the security picture for Android devices is pretty familiar. Google says that over the course of 2016, PHAs were installed on less than 0.15 percent of devices that only get apps from Google Play. If you include all devices in the Android ecosystem using Google's services (i.e. those that get apps from third-party app stores), this figure rises to 0.5 percent. Last year, Google said this figure was "less than one percent."

But even if the overall chances of an Android user installing a dodgy app are about the same, Google's not slowing down when it comes to new security features that deal with other sorts of threats. The new report highlights a number of additions made in the last year, including more granular app permissions and making full disk encryption a requirement on "most Marshmallow devices." In June last year, Android also joined Google's rewards program for bug bounty hunters, and say it has fixed over 100 vulnerabilities reported in this way and paid out more than $200,000 to researchers. There's also Marshmallow's "Android security patch level" feature, keeping users better informed about the state of their device. But it seems on Android, a security researcher's job is never done.