Changes to Android security updates
Do you follow the news around Android security updates closely like we do? Then you might just notice changes in this. This is because Google has revised the way it rolls out security updates. The company is adopting a so-called "risk-based approach". This should help manufacturers respond faster to threats without users compromising on security.
Until now, Google released the monthly Android Security Bulletin (ASB), which listed all security vulnerabilities for that month. Manufacturers used that summary to compile and test their own patches. But because the process was complex, many devices, especially the cheaper models, received updates late or not at all.
That is why Google is now introducing the Risk-Based Update System (RBUS). In this new system, only the highest-risk vulnerabilities are addressed immediately on a monthly basis. Think of security vulnerabilities that are actively abused or are part of a known attack. Less pressing issues will now be fixed quarterly.
What this means for manufacturers and users
For manufacturers (also known as OEMs), this change means that they are less likely to have to deal with large numbers of patches at once. This makes it easier to roll out updates, including for more devices. Those who already receive monthly security updates will continue to receive them. For other devices, on the contrary, they are more likely to receive quarterly updates on a more regular basis from now on, with a larger number of improvements at once.
Quarterly updates appear in March, June, September and December, which explains why the September 2025 security bulletin contained as many as 120 vulnerabilities, compared to zero in July.
Security remains priority
Google stresses that Android itself is becoming increasingly secure through measures such as memory-safe programming languages (like Rust) and anti-exploitation protection. This makes it less likely that malicious actors can exploit critical bugs. The company also says that this new way of working helps manufacturers "address key risks faster".
There is some criticism: some experts fear that the longer preparation time for quarterly updates will give malicious actors more chances to discover leaks before they are patched. Still, according to Google, that remains a theoretical risk.
What you will notice
For most users, little will change. Your phone will continue to receive security updates, but possibly at a new pace. Whereas updates used to bring minor improvements every month, they may now come quarterly, but more extensively.
Reading tip: DroidApp Update Guide: all about updates for your Android device
