Why Android is likely safe from a WannaCry-like attack

Android users are no strangers to outdated systems -- a key component to how WannaCry spread so quickly. But Google's software has different safeguards.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read
Enlarge Image

Unlike the Google Pixel, most Android devices are running on outdated operating systems.

James Martin/CNET

The WannaCry cyberattack has ensnared more than 300,000 computers in 150 countries by taking advantage of outdated versions of Windows that never got Microsoft's crucial security patches.

Hmm. Millions of devices that are stuck on older versions of an operating system and don't have access to the latest updates. Where have I heard that one before?

That is, after all, one of the key problems with Android. Only 7.1 percent of its 1 billion users are on Nougat, better known as Android 7.0, the latest version of the mobile operating system. Nearly a third run on Android KitKat or older -- versions that came out more than three years ago.

"Over time, the more that Android versions age out, you're going to have an increasing attack surface for bad guys," said Josh Feinblum, vice president of information security at Rapid7.

But worry not, Android users. There are key differences between Windows and Android that keep the mobile operating system safe from WannaCry's clutches. Even with so many different flavors of Android, including versions tweaked by phone makers like Samsung or LG, it's unlikely that users are in for a wide-scale attack.

While Android isn't susceptible to WannaCry, it could be open to other attacks, including closed-off ransomware incidents.

But for now, the WannaCry ransomware -- a cyber shakedown in which hackers lock your computer and demand money to fix it -- is solely a problem found on Windows.

Here's why:

Monthly updates

Despite Microsoft patching the security vulnerability that had been leaked from the NSA in March, many of the systems held hostage by ransomware never had a chance to get the upgrade. That's because thousands of computers, including those used by hospitals hacked in England, are still running on Windows XP. Microsoft stopped supporting Windows XP with updates in early 2014, leaving many vulnerable to the last three years of new malware.

Google follows a different philosophy with its old operating systems. Since 2015, Android users going all the way back to version 4.4 receive monthly security updates, covering more than 735 million devices.

So while a person using a Samsung Galaxy Note S3 might not get the latest features like Google Assistant, they're still protected from security flaws through Google's support.

It's why when WikiLeaks claimed it released the CIA's Android exploits, Google came out and said it had already patched the vulnerabilities. Companies like Samsung and BlackBerry also offer their own regular security updates.

We'll learn more about what's next for Android, likely including details on a new version, on Wednesday when Google kicks off its annual developer conference, called I/O.

Still, not everyone is protected; about 10 percent of Android users on older software are not able to get the updates. Also, it should be noted that while Google is sending these security updates out every month, the responsibility to roll out these patches still falls on the carriers.

AT&T declined to comment on how frequently it sends customers these updates. T-Mobile, Sprint and Verizon didn't respond to requests for comment.

Follow the money

For the roughly 100 million Android users still vulnerable because of a lack of updates, ransomware probably doesn't need to be high on their list of worries.

There's a reason why these attacks are most common against hospitals, banks and businesses: They all have a lot of money, and a lot of data that they need on the spot. When a hospital's medical records are locked up from ransomware, people lose emergency services.

17 Android 7.0 Nougat features you need to know

See all photos

"They're more likely to be commercial and enterprise machines where somebody is going to pay bitcoins to get it back," said Jacob Osborn, a counsel for Goodwin's Privacy + Cybersecurity. "With Android, you're talking about people, which is much more unlikely that you'll get $300 out of a teen that needs their phone back."

There's crucial data in these systems, which if lost forever could cost more than the ransom that hackers put on their computers. Now take a look at what's on your phone. Sure, if it gets locked up, you could lose photos or contacts, but people are not willing to pay up $300 for that -- especially if it's automatically synced to a cloud service like Google Photos.

"There is an uptick in vulnerable Android operating systems, and exploits surrounding them, but not essentially to the extent that requires you to fork over money to unlock or decrypt your device," Feinblum said. "Resetting a mobile device, regardless of age, tends to be really easy. So much of what you do on a phone is so easy to back up."

When it comes to ransomware, it hits where hackers think they can make the most money. There's just no financial incentive for infecting phones with ransomware, though that's not to say it doesn't happen.

Controlled fires

WannaCry spread itself through computer networks using a standard sharing tool called Server Message Block. So even if you did everything right, if one person in your office slipped up, you all get hit with ransomware.

It's why WannaCry was able to spread so quickly, with its variants infecting 200,000 computers before its first kill switch was activated.

Even though most Android phones are always connected online through carriers, they aren't connected to each other like computers in an office are. So if your co-workers get hit with ransomware on their phone, you'll still be fine -- although you might want to deny any files they try to send you.

"The flaw is unique to Windows," said Brenda Sharton, Goodwin's Privacy + Cybersecurity chair.

Because Android devices (and most smartphones) tend to keep to themselves, the spread of malware would not nearly be as fast as WannaCry, Feinblum said.

Updated, 1:57 p.m. PT: To clarify that carriers are responsible for pushing out Google's monthly security updates.

CNET Magazine: Check out a sampling of the stories you'll find in CNET's newsstand edition.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET.