Things that i find interesting:
Harmful Apps and the Play Store
"Ongoing monitoring by Verify Apps found that efforts to deliver Potentially Harmful Applications (PHAs) continued at low levels throughout 2014, less than 1% of all devices had a PHA installed. Fewer than 0.15% of devices that download only from Google Play had a PHA installed." Android Security Report 2014, Page 3
Most importantly, it shows that Android is relativly secure from Potentially Harmful Applications (PHAs), but it also shows that the risk to install such an app is multiple times higher if you install apps from outside the Play Store. As we were talking about such stores here, this indicates you should actually be careful from were you install your apps.
Btw: Even if you prefer to install your Apps from F-Droid if availabe (like me) or buy payed apps outside the Play Store, the Google Play Services can be of benefit: The Verify Apps functionality is part of the Play Services and regulary scans apps (and each app once when installed or updated) for malicous behavoiur. Android Security Report 2014, Page 5 As is it installed on millions of devices, i think they have pretty good data to work with.
On Page 19 following you find detailed information on PHAs.
Security in Android 4.4 and 5.0
I do not want to reinforce the discussion about why we do not get below Android 4.2.2 on the Fairphone. And i think it is great that Fairphone continues to integrate security updates into our Android 4.2.2 based OS (see the end of the 1.8.5 changelog for a list of fixed CVEs).
However, the following system level improvement will certainly not get backported, they would require an update to 4.4 and then/or 5.0: Updatable Webview, Enforced SELinux Mandantory Access rules (can be roughly seen as a kind of sandbox for Android Apps by restricting access to system parts to reduce the potential impact of malicous aps) and improved Full Disk Encryption. Android Security Report 2014, Page 4
But keep in mind: Disk Encryption is avaible in the Fairphone already – and i am using it since about a year with no noticable impact on the usability. I recommend turning this on as it improves the security of your data in case you loose your device.
OEM/ SOC Specific Vulnerabilites
"Android devices are generally implemented by an Original Equipment Manufacture (OEM) in partnership with a System On a Chip (SOC) to implement a kernel and device drivers that enable the Android Platform. Although not strictly part of the open-source Android Platform, these components are critical to the security of specific Android devices. … The inclusion of SELinux in full enforcing mode on Android 5.0, for example, is expected to reduce the chance of exploitation of these vulnerabilities." Android Security Report 2014, Page 9-10