Android security has always been an uphill fight. Unlike iOS, there’s no single mandatory App Store, making it easier for a bad link to give rise to a persistent malware problem. At the same time, the operating system is spread across dozens of carriers and device manufacturers, making it hard to push out fixes once a vulnerability is discovered. But after 2015’s Stagefright bug, Google started a new crackdown, hardening subsequent versions of Android and demanding better patching schedules from partners. Now, a year and a half later, those efforts may finally be starting to bear fruit.

Today, Google published a new report on the fight, running down the state of Android security in 2015. Over the course of 71 pages, the report details how well Android phones held up in 2016, both in receiving patches and avoiding malware. It’s still an uphill fight, but the report shows some of Google’s most aggressive moves may be starting to pay off.

The most striking news is on “potentially harmful applications,” Google’s term for suspected malware, which rose slightly over the course of 2015. Harmful apps were installed in 0.7 percent of Android devices in 2016, rather than the 0.5 percent observed in 2015. As usual, most of those infections were driven by apps from outside the Google Play Store, and Android phones that stuck to Google’s own App Store were 10 times less likely to be infected. Of those phones, only 0.05 percent had installed a potentially harmful application, down from 0.15 percent the previous year.

Between the Play Store and Android itself, Google has a powerful vantage point for spotting and automatically squashing that malware before it can spread. Many of those programs are still getting on their feet. One of the more aggressive examples, Verify Apps, blocks around 1 percent of potential malware that tries to install a secondary app. But Android security chief Adrian Ludwig says those programs could start to make a big difference for Android users in the years to come.

“We know enough about the behavior of malware authors,” Ludwig says, “the infrastructure they have created to be able to deliver these applications, and the techniques that they’re using, that we’re starting to see ourselves one step ahead.”

The greater concern is Google’s power to push out code fixes when new vulnerabilities are discovered, a power that has grown in recent years. After Stagefright, Google began publishing monthly Android security bulletins full of every security bug detected in the operating system — and giving manufacturers and carriers one month’s head start to fix the bugs before they became fully public. Android is still heavily fragmented across versions and the bulletins aren’t enough to get updates to every phone, but they’ve meant a faster pipeline for the phones that do see upgrades.

“In general, if a manufacturer provides an update, we can get it through carrier approval in less than a week,” says Ludwig. “We’re finally through the ‘Get Out of the Way’ phase.”