Nokia’s 2017 threat Intelligence report provides a reminder why it is a good idea to restrict app installs to the Google Play Store.

Nokia discovered that 68 percent of all devices that were infected in the previous year was running Android, followed by 28 percent running Windows, and around 3 percent running iOS.

The figures are found on data collected from Nokia’s NetGuard. It is a security product used by mobile network operators and used to observe network traffic from over 100 million devices across North America, Europe, the Middle East, and Asia Pacific. Except for India and China.

Nokia also studied the section of Android devices that were infected per month was on average 0.94 percent this year. Nokia says the overall mobile device infection rate was 0.68 percent, while the figure was around 0.2 percent for Windows devices connected to mobile networks, either via a dongle or tethered to a phone.

Nokia estimates the number of Android malware samples has grown by 53 percent over the past year through to July 2017. It now has a collection of 16 million samples.

The most prevalent smartphone malware detected in networks that Nokia monitors all targeted Android. The top was Android adware called Uapush, followed by the Jisut Android lock screen ransomware that Eset researchers found targeting Chinese users.

The Marcher Android banking trojan was the third most commonly seen malware, which is usually hidden in fake versions of popular apps, such as Netflix, that are distributed on non-Google app stores.

Google Play only represents four percent of installs in China where the app market is dominated by local players like Tencent, Qihoo 360, Baidu, and Xiaomi, says Nokia.

End-user devices are not always the victims and can also become attackers. The report states the huge WireX Android DDoS bot found this year that harnessed 150,000 devices to attack content delivery networks. Google, Akamai and security researchers worked together to take the botnet down and remove 300 apps from Google Play.

Nokia’s Threat Intelligence Lab also recently explored an “accidental DDoS” in which a single phone caused problems at an unnamed device builder after suddenly sending 50,000 52-byte TCP packets per second.

Over a one-minute interval, the phone had sent two million packets to the builder’s web server. The disturbance indicated the builder was under a DDoS attack, but Nokia discovered the flood of traffic was due to a flaw in a software update.

“It is significant that a software flaw could cause a single smartphone to generate so much traffic,” Nokia mentions.