The analysis paper starts out by saying "With hundreds of millions of devices expected to be traded by 2018, flaws...could be a serious problem." Unfortunately that same analysis focused on Android operating systems PRIOR to v4.4 (KitKat), which was released in October 2013 (https://en.wikipedia.org/wiki/Android_version_history).
Since then, Android has released major versions (4.4 Kitkat, 5.0 Lollipop) and various major updates within those families (4.4.2, 4.4.4, 5.1). To put this in perspective, they're talking about risks in 2018 from software no newer than 2013 while writing and publishing in 2015. That's a classic case of picking your data to fit your conclusion, or cherry picking (https://en.wikipedia.org/wiki/Cherry_picking_%28fallacy%29).
There were many fixes in Android security systems in 4.4 and also in 5.0. 5.0 now supports hardware encryption on e.g. HTC and OnePlusOne platforms among others. To apply "anyone can get the key and brute-force a password"[paraphrased] is to deny that no, you can't.
It's often more convenient for "researchers" to provide something with glitz and hype to catch the media's attention, but in this case the hype cherry-picks data that ignores two years of active open-source development and many security updates.
Poor science and hyperbolic headlines make for brain-free reading.