"Unfortunately, while Google can remotely fix affected devices, it can’t automatically patch the security hole that made the exploit possible in the first place. That’s because the hole exists on the system level, so it requires a system upgrade to resolve — and it’s up to the carriers and hardware manufacturers to deploy the fix. Google is issuing a patch and informing its partners that it is urgent, but who knows how long it will take the carriers to push it to users.
As if to underscore this problem, Google says that the exploit was actually already fixed in recent versions of Android, and that it only affects version 2.2.1 and lower. Unfortunately the vast majority of Android devices are still running older versions of the OS because of the aforementioned sluggish carrier updates...
The whole situation is pretty alarming for Android users (and I’m sure the email alerts Google will be issuing are going to spur even more user angst). Google wins some points for removing the affected applications within minutes of being informed of their malicious intent. But the fact that it is unable to distribute system security updates is unnerving — Google can downplay Android’s fragmentation issue all it wants, but when user security is at stake, we shouldn’t have to rely on the carriers."
