Android Under Attack: Google Patches; Samsung Users Wait

When Pixel Gets Patches, Samsung Users Stay Vulnerable

The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities Catalog, essentially a hit list of security holes hackers are actively exploiting. When Google rushes fixes based on CISA warnings, Pixel phones receive them immediately. Samsung devices? Still waiting.

Samsung commands nearly one in three Android phone sales globally. That scale makes update delays catastrophic. While the company has improved its cadence compared to five years ago, it still trails Google’s Pixel line and Apple’s iOS ecosystem by significant margins.

Why Samsung Can’t Keep Up

The technical reality is complex. Samsung must customize Android to fit its hardware, layer One UI on top, integrate pre-installed apps, and test across dozens of device configurations. Google’s Pixel phones run stock Android, no customization overhead, no bloatware delays.

The Carrier Bottleneck

Even after Samsung prepares updates, carriers demand their own testing and certification before allowing distribution. Verizon, AT&T, and T-Mobile each run separate approval processes. Google bypasses this entirely for Pixel devices, pushing updates directly to users.

Google announced “a new chapter for how Android updates work, moving from a single, yearly operating system update to more frequent releases.” The pitch: users get features “as soon as they’re ready.” The reality: this exacerbates fragmentation.

Frequent releases benefit Pixel devices. Other phones wait for OEMs to integrate changes. The gap between Google’s vision and Samsung’s execution widens with every quarterly drop. As Google noted, “Other phones have to wait”, a tacit admission that the new model favors its own hardware.

What Users Miss While Waiting

Security patches are just part of the problem. Major OS upgrades, Android 13 to 14, for example, take months to reach Samsung flagships. During that window, users miss:

• Security improvements: Known exploits remain unpatched
• Performance optimizations: Battery life and speed enhancements unavailable
• Privacy controls: New permission systems and tracking protections delayed
• Feature parity: APIs that app developers assume exist… don’t

The Seamless Update Problem

Android’s A/B system partition allows “seamless updates”, installs happen in the background, no downtime, no waiting for reboots. Google Pixel phones use this. The Galaxy S25 finally supports it. But Samsung’s mid-range and budget devices? Still stuck with disruptive, 15-minute update installations that require manual reboots.

Only the S25 flagship and, bizarrely, one random mid-range model support seamless updates across Samsung’s entire lineup. For a company selling 270 million phones annually, that’s inexcusable fragmentation.

Android’s diversity is both its strength and Achilles’ heel. Thousands of device models, hundreds of manufacturers, countless regional variants. Apple controls hardware and software, shipping updates to 1 billion devices simultaneously. Google controls… about 5% of the Android market through Pixel sales.

Real-World Impact

• Enterprise security: IT departments can’t secure BYOD fleets when Samsung/LG/Xiaomi devices run 6-month-old patches
• Developer confidence: Why build for Android 15 features when 60% of devices still run Android 13?
• User trust: Choosing Samsung over Pixel means accepting delayed protection

OnePlus, Xiaomi, and Oppo face the same challenges but often outpace Samsung on updates. The difference? Simpler software overlays and regional focus. Samsung maintains One UI across 50+ active device models spanning $200 budget phones to $2,000 foldables, all requiring separate testing and certification.

Meanwhile, OnePlus supports fewer devices with lighter OxygenOS customization. Xiaomi’s MIUI (now HyperOS) updates are fragmented, but the company prioritizes flagship models aggressively. Samsung tries to support everything equally, spreading resources thin.

What Needs to Change

The current model isn’t sustainable. Solutions exist, but require industry-wide cooperation:

1. Google-mandated update windows: License requirements forcing 30-day security patch SLAs for Android certification
2. Standardized carrier testing: Industry-wide certification processes, not per-carrier redundancy
3. Modular Android architecture: Separate security updates from feature updates (Project Mainline expansion)
4. Transparent timelines: Public dashboards showing which devices receive which updates when
5. Financial incentives: Lower Google Play licensing fees for manufacturers meeting update targets

Project Mainline: The Partial Solution

Google’s Project Mainline delivers core Android components through Play Store updates, bypassing manufacturer delays. Critical modules — media codecs, Bluetooth stacks, DNS resolvers — update independently of OS releases.

But Mainline only covers ~20 system components. Kernel-level vulnerabilities, hardware drivers, and UI framework bugs still require full OEM updates. It’s a band-aid, not a cure.

The iPhone Comparison Nobody Wants to Make

iOS 17 reached 76% of all iPhones within 3 months. Android 14 hit 30% of devices after 10 months. That’s not a fair comparison, Apple controls everything, Google controls almost nothing. But from a user security perspective, the outcome is identical: Android users remain vulnerable longer.

Samsung’s Promises vs Reality

Samsung pledged 4 years of OS upgrades and 5 years of security patches for flagship devices starting with the S21 series. That’s better than most Android manufacturers. But “up to 5 years of patches” doesn’t specify frequency, monthly patches often become quarterly after year 2.

Google guarantees 7 years of updates for Pixel 8/9 series, matching Apple’s de facto support window. Samsung’s 5-year commitment trails by two full years, a critical gap for users keeping devices longer due to rising prices.

Regional Disparities Make It Worse

A Galaxy S24 user in South Korea receives updates weeks before identical devices in the U.S. or Europe. Samsung prioritizes its home market, then handles regional carriers sequentially. Indian users often wait longest due to the complexity of testing across multiple carriers and regional variants.

This geographic fragmentation means a vulnerability patched in Seoul remains exploitable in Chicago for a month. Cybercriminals don’t respect Samsung’s rollout schedule.

Android’s update problem has no simple fix. Google’s frequent release cadence helps Pixel users but widens the gap for everyone else. Samsung’s dominance means its delays affect more users than any other manufacturer’s. Carrier interference adds weeks of bureaucratic overhead to an already slow process.

The fundamental question: Can Google and OEM partners bridge the update gap? Or will Android remain perpetually fragmented, leaving hundreds of millions vulnerable to exploits patched months earlier on Pixel devices?

Solutions require industry-wide coordination, mandatory update timelines, standardized testing, transparent roadmaps. Without these changes, Samsung users will continue choosing between owning hardware they prefer and receiving security they need. That shouldn’t be a trade-off in 2025.

Until manufacturers prioritize update speed with the same urgency they apply to camera specs and display refresh rates, Android’s security reputation will suffer. And users will pay the price — in data breaches, malware infections, and the nagging knowledge that their expensive flagship runs month-old security patches while Google’s mid-range Pixel 8a stays current.

The Android ecosystem can do better. The question is whether it will.

Follow us on  Bluesky ,  LinkedIn , and  X  to Get Instant Updates