“Security patch” is a term that refers to programs and data that fix known vulnerability in the software. Vulnerabilities are weaknesses, software bugs which can be “weaponized” in order to compromise the security and privacy of users. How many times we have witnessed in the mobile space, more particularly on Android having many unpatched defects, Google creates the necessary patch less than a week after discovery, only to know that the device vendor and/or the mobile phone carriers have not bothered to launch the patch to their current customers’ devices. Google for a decade now (the first version of Android was eleven years ago, in 2008).
Google has compiled security patches and implemented updates once a month since August 2015, also known as “Security Patch Level”. These will be published for Android’s open source development project, AOSP (Android Open Source Project). It will also be published for the Nexus series and the Pixel series, which can be said to be the Android reference models. The makers of Android smartphones also validate the contents of security patches and distribute them according to their products, which most of the time only includes specific top models. This “optional” choice by device manufacturers weakens the Android platform being a secure mobile system.
You can check the security patch level of the Android smartphone from the Settings>About Phone/Device options. There are various levels of security issues. For example, remote code execution attacks that cause arbitrary data to be sent to a smartphone from a remote location and executed, heap spray that disperses arbitrary data in memory, and communication that must be concealed are leaked due to insufficient encryption etc. Information leakage etc. may be considered. Mobonogram for example is considered as a Potentially Harmful App, but not outright considered as malware even by antivirus vendors. Fake apps claiming to perform a specific function, but does something else in the background are very difficult to remote, especially if the hardware vendors do not cooperate with Google patching schemes.
On Android, such security patches are released every month, not only for major updates that change the version number. Google usually supports up to two versions older than the current version. At the time of this writing, the current version of Android is 9.0 Pie, the search giant still supports version 7.x Nougat. It is not uncommon for companies to sequentially resolve Android bugs themselves, for example, for security holes registered on a website that manages CVE identification numbers, and provide security patches on a monthly basis. Each manufacturer wants to differentiate their products from one another, such customization prevents new version of Android to be installable in their devices until enough assessments for compatibility are done.
If Google’s monthly security patches were not released, it would be extremely dangerous if vulnerabilities that are weaponized will detect the affected device. A smartphone is the most personal of all personal computers, as users entrust their personal information in these personal devices than any computer. Google seems to be as open as possible regarding security issues, post details of security vulnerabilities affecting Android devices on the web, and deal with all of them every month. Partners are notified of all vulnerability issues a month before information disclosure and have released source code patches for these issues in the AOSP repository (the software storage mechanism).