Given the app is downloaded from the PlayStore this is a mainstream Android vulnerability, that 16% of devices are affected is outstandingly bad. OK all OS's have the odd vulnerability exposed, however given iOS security updates are applied to iOS devices across the board and relatively quickly, really anyone in tech should be recommending iPhones to their non-techie friends. Controversial statement for many El Reg readers, I know, but really, if you are responsible and recognise many aren't able or motivated to keep on top of the tech security position of these devices, it shouldn't be controversial at all. At least not until Google get a faster turn around sorted out with the carriers. It's the only responsible thing to do. Even vendors who have patched the vulnerability in their handsets are doing so far too slowly. The downloaders of this app are going to be generally more tech/savvey/security aware and if ~40% of such a selective set have affected devices, what chance have the rest?
What happened to all the Google promises of yester-year that security patches would be rolled out in a timely fashion?