English
中文
Deutsch
HomeArticle

Phones keep popping up system updates, and Google is ready to step in and solve this problem.

三易生活2025-09-30 07:14
In fact, RBUS is more like "plugging one's ears while stealing a bell," but the benefits are also obvious.

"Why does the phone pop up system update prompts every now and then?" This is a question raised by many users when phone manufacturers keep urging them to upgrade the system. To avoid disturbing users with frequent system updates, Google may step in. Recently, a source revealed that Google is planning to introduce a "Risk-Based Security Update System" (RBUS) to the Android system.

The core purpose of RBUS is to change the Android security update mechanism. Monthly updates will be limited to only include high-risk vulnerabilities, while the remaining medium and low-risk vulnerabilities will be postponed to quarterly updates. This means that Android's security strategy will undergo the biggest shift in a decade.

As early as at the Black Hat Conference in Las Vegas in 2015, Google announced that it would release monthly Android system security updates, the Android Security Bulletin, to reduce the risk of Android devices being attacked. For example, at the beginning of this month, Google launched security updates for versions 13 - 16 of the AOSP system, fixing a total of 84 vulnerabilities, including two zero-day vulnerabilities, CVE - 2025 - 38352 and CVE - 2025 - 48543, which had been actively exploited by hackers.

In fact, it can be found on Google's Android developer website that the company's consistent update of security patches is also the key to the increasing security of Android in the past decade, even with support for sideloading.

Although Google's monthly Android security update strategy has made users' devices more reliable, the accompanying negative impacts cannot be ignored. In today's environment where smartphones have become a "new organ" for humans, many people even keep their phones on 24/7. At this time, the forced shutdown of the phone caused by frequent system updates will obviously make some users dissatisfied.

In a sense, Android users are actually over - protected, to the extent that they forget that the network is actually full of crises, and security is a luxury. However, consumers are "kings", and Google really can't expect users to understand their good intentions. So, by introducing RBUS and changing the security update strategy, Google can reduce the content of monthly security updates, making each system update less disturbing to users.

Of course, appeasing users may only be a secondary task for Google to launch RBUS. Their real purpose is to reduce the pressure on OEM partners and encourage Android phone manufacturers to pay more attention to system security updates. As early as 2018, Google found that many terminal manufacturers ignored security updates. A considerable number of phone manufacturers did not push security updates to users in a timely manner, which became the key reason for the proliferation of malware in the Android ecosystem.

For this reason, Google announced in 2019 that starting from January 31, 2019, Android device manufacturers would be required to push security updates to users, and all users' devices must be protected from security vulnerabilities discovered in the past 90 days. However, there are always countermeasures against policies. Even though Google holds the powerful GMS certification, it is still helpless in the face of the "non - violent non - cooperation" of terminal manufacturers.

In fact, system updates have always been a pain point in the Android ecosystem. Compared with the closed Apple iOS, the Android ecosystem not only includes Google but also chip manufacturers such as Qualcomm and MediaTek, as well as a large number of Android device manufacturers. If Android is regarded as a whole, the large number of SKUs makes it extremely difficult to adapt system updates. Therefore, faced with such a huge workload, a considerable number of Android device manufacturers choose to be irresponsible and only push updates for flagship products in a timely manner.

The duplicity of terminal manufacturers forces Google to solve the problem through technical means. For example, Project Treble, added in Android 8, separates hardware drivers from the system, allowing terminal manufacturers to push system updates to devices independently without re - adapting drivers. And Project Mainline, introduced in Android 10, modularizes system functions, enabling upstream suppliers to provide more detailed function updates.

However, the problem is that Project Treble and Project Mainline only solve the problem of Android system fragmentation, making terminal manufacturers willing to push new major - version system updates for old devices. They are ineffective in dealing with frequent security patch updates. In this regard, Chris Patrick, the vice - president of Qualcomm, once admitted that "for OEM manufacturers, pushing security updates and Android version updates to every end - user is a very complex and costly thing."

In view of this, Google can only launch RBUS, a compromise and expedient measure. It is reported that the core of RBUS is that Google's monthly updates for the Android system will only target vulnerabilities that are being actively exploited by hackers or are part of a known attack chain. In other words, only vulnerabilities that have been confirmed by network security agencies and exploited by hackers will be regarded as an imminent threat by Google. Vulnerabilities that have been discovered but not publicly disclosed will be ignored.

Yes, RBUS is actually a form of "burying one's head in the sand" to some extent, but the benefits it brings are obvious. That is, the number of security patches that terminal manufacturers need to process each month will drop sharply, and the testing and release pressure on manufacturers will be significantly reduced.

But the question is, what is the price for all this? In this regard, some network security experts point out that RBUS is very likely to become the fuse for the deterioration of the Android security situation.

Under the RBUS model, Google will disclose medium and low - risk vulnerabilities that need to be patched to terminal manufacturers one quarter in advance. However, this behavior will inevitably lead to the risk of the leakage of vulnerability details. Nowadays, Android system vulnerabilities are clearly priced on the dark web. Even on the public network, a large number of third - party companies are collecting Android vulnerabilities.

As long as there is a profit to be made, it is hard to guarantee that someone will take risks. After all, the cost of bribing Google's security team is different from that of bribing the staff of small and medium - sized terminal manufacturers.

This article is from the WeChat official account "3eLife" (ID: IT - 3eLife), written by 3eLife. It is published by 36Kr with permission.

该文观点仅代表作者本人,36氪平台仅提供信息存储空间服务。

For media inquiries, interview requests, business collaboration and Recruit global ecological partners, please contact mohaiying@36kr.com.
Partner:startuprad.io

36kr Europe (eu.36kr.com) delivers global business and markets news, data, analysis, and video to the world, dedicated to building value and providing business service for companies’ global expansion.

© 2024 36kr.com. All rights reserved.