Despite concerns that Android is susceptible to some scary security issues, Google argues its mobile operating system has never been better.
The company on Tuesday released its Android Security 2015 Annual Report, which shows that as long as users were downloading apps from the company’s Google Play marketplace, they were unlikely to have faced much trouble. In fact, Google’s (GOOGL) report shows that “potentially harmful apps,” or PHAs, “were installed on fewer than 0.15% of devices that only get apps from Google Play.”
Google broke down its findings by the potentially harmful application. The company said that installs of apps that collected data were down more than 40% to 0.08% of all Google Play downloads. Spyware app installs decreased by 60% to 0.02% of installs, and “hostile downloaders,” which download malicious apps on a user’s device without their permission, were down 50% to 0.01% of installs.
“We protected users from malware and other PHAs, checking over 6 billion installed applications per day,” Android Security lead engineer Adrian Ludwig said in a statement. “We protected users from network-based and on-device threats by scanning 400 million devices per day. And we protected hundreds of millions of Chrome users on Android from unsafe websites with Safe Browsing.”
Get Data Sheet, Fortune’s technology newsletter.
Google’s report comes as users again question how safe their Android devices are in light of a report last month that found a new hack affecting Android devices.
Israel-based security firm NorthBit reported that it had discovered a vulnerability that allows a hacker to exploit the Android code library known as “Stagefright” that processes several media formats. While the issue was discovered last year, NorthBit claims it could affect as many as 275 million Android devices.
The report followed last year’s Stagefright trouble, where hackers could exploit a bug in Android by sending users a malicious MMS message. Soon after, the Android phone could be accessed to comb through a user’s data, photos, camera, and other data. What’s worse, users wouldn’t even know their handset had been compromised.
While Google fixed the bug—as well as the one NorthBit announced earlier this year—getting updates to users has always been difficult. Google first needs to release the patch to vendors, which may or may not pass it on to their customers. The updates then must travel over carrier networks until they’re finally delivered to a device. In some cases, those updates never make their way to affected handsets, through no fault of Google’s own.
For more on Google’s Android security, watch:
There’s also the issue of where a user downloads apps from. While Google operates its own Google Play marketplace, Android users can get apps from any number of third-party application stores. In many cases, those stores feature content Google doesn’t allow, or hasn’t yet allowed, into its store. And in some cases, they contain apps filled with malware.
Indeed, while Google noted that fewer than 0.15% of the Android devices running worldwide were affected by apps downloaded from Google Play, that figure soared to 0.5% of devices with apps from both Google Play and “other sources.” And the threats don’t appear to be getting better.
“In 2015, we saw an increase in the number of PHA install attempts outside of Google Play, and we disrupted several coordinated efforts to install PHAs onto user devices from outside of Google Play,” Ludwig said in a statement.
In one such case, Google took aim at Ghost Push, a family of hostile downloaders that placed malicious apps on a device. The company noted that during the summer last year, Ghost Push represented up to 30% of all app-installation attempts worldwide.
New ‘Stagefright’ Hack Exposes 275 Million Android Phones
“For roughly seven weeks, Ghost Push installation attempts contributed up to 30% of all installation attempts worldwide,” Google wrote in its report. “In total, we found more than 40,000 apps that we categorized into this family and we logged more than 3.5 billion installation attempts for these apps.”
Google added that it investigated the issue, found that four million devices worldwide were infected with Ghost Push, and has since remedied the issue and reduced the number of infected devices by 90%.
Ludwig also touched on Google’s bug-bounty program, which aims at allowing hackers to find flaws in Android and tell Google about them. Google pays the bounty hunters for the bugs they find based on the severity of the bugs. While that program started in June, Ludwig said that Google has already fixed more than 100 vulnerabilities and paid out $200,000 to researchers. Google is continuing its bug bounty program in 2016.
