For over a decade, Google has been consistent in publishing an Android Security Bulletin monthly. This bulletin typically outlines vulnerabilities that have been addressed in the month's security release, covering issues that vary in severity from low to critical. Due to the extensive and complex nature of the Android operating system, it is common to witness a multitude of vulnerabilities documented within these bulletins. However, a significant shift occurred in July 2025, marking an unprecedented moment in this timeline: the July bulletin became the first of its kind to report no vulnerabilities out of the 120 bulletins released up to that time. In stark contrast, the subsequent September 2025 bulletin disclosed a staggering 119 vulnerabilities.
This sudden change does not imply that Google was devoid of vulnerabilities to report in July. Instead, it reflects strategic adjustments made to the Android security update process, aimed at assisting device manufacturers (OEMs) in addressing high-risk issues more swiftly and enhancing user protection against active exploitation.
Over the years, Google has made significant strides in protecting Android from vulnerabilities. This includes writing new code in memory-safe languages like Rust and implementing advanced anti-exploitation protections such as hardware-backed Control Flow Integrity (CFI) and Memory Tagging Extensions (MTE). These enhancements, combined with Google's initiatives to accelerate Android updates and modularize the operating system through projects like Project Mainline, have made it increasingly challenging for malicious actors to exploit critical security vulnerabilities.
Despite these advancements, the vast and ever-evolving codebase means that vulnerabilities remain a constant threat. While anyone can discover Android security vulnerabilities, most are reported by responsible researchers, either working independently or through partnerships with Google. The Android security team then evaluates these reports to confirm the existence of a vulnerability, assess its impact, and assign a severity rating, such as Moderate, High, or Critical. Once validated, the vulnerability receives a unique Common Vulnerabilities and Exposures (CVE) identifier, facilitating tracking and management.
Once a security patch is finalized, Google does not release it immediately. This is primarily due to the lack of a comprehensive method for rolling out updates over-the-air to all Android devices. The exception lies with components included in Project Mainline, which allows Google to deploy fixes directly through Google Play System Updates. Although Google could submit patches to the Android Open Source Project (AOSP) upon readiness, doing so would expose vulnerabilities prematurely, causing partners to scramble to implement updates.
To streamline this process, Google established the Android Security Bulletin (ASB), which consolidates the disclosure of multiple security patches into a single monthly release cycle. The ASB exists in two formats: public and private. The public ASB has been consistently published each month since August 2015, typically on the first Monday of the month. In contrast, the private ASB is shared with OEMs and chipset vendors approximately 30 days prior, allowing them the necessary time to integrate and test the patches before public disclosure.
Despite the lead time provided by the ASB, many OEMs struggle to deliver timely security updates for their entire device lineup. Often, these manufacturers do not commit to monthly updates for all devices, with budget and mid-range models frequently receiving updates only bi-monthly or quarterly. This challenge is exacerbated by the need for carrier approval in certain regions before updates can be released, leaving many Android devices vulnerable to exploitation.
In response to these challenges, Google is implementing a new release strategy known as the Risk-Based Update System (RBUS). This system is designed to enhance the security patching process for OEMs while ensuring user security remains a top priority. Under this new approach, Google now prioritizes shipping only “high-risk” vulnerabilities in monthly releases, while the bulk of security fixes will be delivered in quarterly ASBs.
High-risk vulnerabilities are defined as critical issues that require immediate attention, particularly those under active exploitation or part of a known exploit chain. This classification is based on real-world threat levels, distinguishing these from a vulnerability's formal severity rating.
The RBUS offers several advantages for OEMs, including:
Fewer patches to merge, test, and deploy each month, simplifying the update process.Increased flexibility for OEMs in determining how quickly to release security updates.Encouragement for OEMs to adopt at least a quarterly update schedule, enhancing user protection.With the shift to prioritizing high-risk vulnerabilities, it is possible for some ASBs to report zero fixes, as seen in the July 2025 ASB. This does not indicate a lack of vulnerabilities; rather, it allows OEMs to decide whether to release updates even when the official ASB appears empty. For manufacturers that choose to release updates, such as Samsung, Google mandates that they do not publicly disclose details about the patched CVEs.
While the Risk-Based Update System aims to improve the security update process, it also introduces potential risks. For instance, the extended notification period for larger quarterly updates could provide malicious actors with more time to exploit vulnerabilities before patches are widely available. Although the private ASB is securely shared, it is accessible to numerous engineers across various companies, increasing the risk of leakage to malicious third parties.
Moreover, Google will no longer release source code for monthly security updates, instead providing it only for quarterly updates. This shift, coupled with other delays in OS source code availability, complicates the ability for most custom ROMs to deliver monthly updates, ultimately making it more challenging to modify Android devices effectively in 2025.
Overall, Google's new approach to Android security updates signifies a major transformation in the way vulnerabilities are managed and addressed. While the immediate impact for most users may be minimal, the changes should facilitate more consistent update delivery from device manufacturers, ultimately enhancing user security across the Android ecosystem.
For those interested in keeping up with the latest developments in Android, subscribing to the Authority Insights Newsletter will ensure you receive exclusive reports, breaking news, and insights into the future of Android technology.
