As a common platform for pervasive devices, Android has been targeted by numerous attacks that exploit vulnerabilities in its apps and the operating system. Compared to app vulnerabilities, systemlevel vulnerabilities in Android, however, were much less explored in the literature. In this paper, we perform the first systematic study of Android system vulnerabilities by comprehensively analyzing all 2,179 vulnerabilities on the Android Security Bulletin program over about three years since its initiation in August 2015. To this end, we propose an automatic analysis framework, upon a hierarchical database structure, to crawl, parse, clean, and analyze vulnerability reports and their publicly available patches. This framework includes (i) a lightweight technique to pinpoint the affected modules of given vulnerabilities; (ii) a robust method to study the complexity of patch code; and most importantly, (iii) a similarity-based algorithm to cluster patch code patterns. Our clustering algorithm first extracts patch code's essential changes that not only concisely reflect syntactic changes but also keep important semantics, and then leverages affinity propagation to automatically generate clusters based on their pairwise similarity. It allows us to obtain 16 vulnerability patterns, including six new ones not known in the literature, and we further analyze their characteristics via case studies. Besides identifying these useful patterns, we also find that 92% Android vulnerabilities are located in the low-level modules (mostly in native libraries and the kernel), whereas the framework layer causes only 5% vulnerabilities, and that half of the vulnerabilities can be fixed in fewer than 10 lines of code each, with 110 out of 1,158 cases requiring only one single line of code change. We further discuss the implications of all these results. Overall, we provide a clear overview and new insights about Android system vulnerabilities.