Google and OEM-based attack vectors
On paper, Android conceptually seems like a grand, world-bettering idea. Common OS shared by a world full of hardware manufacturers, self-monitoring through it all. In execution, however, it seems to have been a nightmare. From the horrible slowness of new OS adoption to malware to “XYZ” skins to maintaining security….a nightmare.
From the Ars article, “"One of these security tests scans for pre-installed PHAs [potentially harmful applications] included in the system image," Google officials wrote in their Android Security & Privacy 2018 Year In Review report. "If we find a PHA on the build, we work with the OEM partner to remediate and remove the PHA from the build before it can be offered to users."“
This is indeed some complicated stuff but even a layman could see the challenge here.