There are many abstract and dramatic sounding tech-terms used to describe IT concepts, products and services that anyone outside of the IT industry may not be familiar with, fully understand or care to know about.
From the Cloud to the Internet of Things and WANS, LANS, Spyware, Firewalls, Worms and Trojan Horses, there is no shortage of colourful examples. “Mega bugs” is yet one more phrase to add to the list, but this one is well worth paying attention to.
What are they?
Mega bugs aren’t called so because they’re large in file size. They are technical vulnerabilities in phone or tablet software that put a huge number of devices using that operating system at risk. It’s the scale of their potential impact that makes them mega.
This is because malware – whether downloaded from a website, hidden inside an app or unwittingly accessed by clicking on a link in an email – can be written to exploit these vulnerabilities. The number of devices at risk will depend on how many people are using the version(s) of the operating system affected.
The risk to SMBS
Whether an employee is using company-supplied tech or their own device at work, businesses need to be aware of which platforms these mega bugs affect. Because then they’ll be able to understand the relevance to their business and the extent of any potential impact. For instance, more than 85 percent of all smartphones sold in 2016 were Android phones. Therefore, any bug in the operating system might affect millions of devices.
Android has also been ranked top of the 2016 vulnerabilities list. So it’s interesting to hear that Google claimed earlier this year that “very, very few of people have ever suffered at the hands of its bugs”. It said this despite all the warnings in the tech media and the fact that its bugs put at risk over 80% of all Android phones. One such bug, Stagefright, endangered 99% of all Android devices.
Don’t believe the hype?
Speaking at the RSA security conference in San Francisco earlier this year, Adrian Ludwig, director of Android security, said the Stagefright hole did put 95% of Android phones and tablets at risk of attack.
However, there have been no “confirmed” cases of infections via the bug. Infections of the earlier MasterKey mega bug had peaked at eight infections per million and FakeID at one infection per million after the details were released, and none before it.
Ludwig was confident in his figures, he said, thanks to malware detection software called Verify Apps that is installed with Google Play on more than 1.4 billon Android phones. This software reports back to Google when it spots something nasty.
A false positive?
The reason for the low level of hacking, he argues, is that mobile operating systems are now so well locked down that it is quicker and easier for cybercriminals to make their money elsewhere. That sounds quite reasonable. Maybe SMBs have little to worry about after all.
Long standing Android users are themselves starting to get rather blasé about what has been labelled “Android scare season” which usually comes close to one security conference or another – and follows a fairly predictable pattern. A report is published by a security company highlighting an Android vulnerability, the tech media cover it in an apocalyptic fashion, then the bug is fixed – and in the end always leaves the unanswered question, does any of this actually matter?
“It’s starting to feel as if we are almost always under some form of attack from this or that spyware, virus or backdoor. Well, security companies are certainly trying to make us believe that, especially those who have attached their livelihood to Android,” writes Kellex, founder of the online Droid Life Community.
“This isn’t me completely dismissing potential threats on Android, it’s just that most of these ‘67% of Android users at risk!’ types of headline-grabbing reports almost always contain a big asterisk that involves some form of, ‘This doesn’t concern you if you install everything through Google Play. In other words, if you own a legitimate Android phone that has Google services and aren’t installing pirated apps through scary-as-hell third-party app stores, you are fine.”
“As Kellex wrote, it can seem as though there is a constant procession of mega bugs for businesses to worry about – and clearly the vulnerabilities in the Android operating system could, in theory, put a great deal of devices and sensitive information at risk,” says Greg Mosher, Vice President of Product and Engineering, SMB, AVG Business by Avast. “Yet in practice it is easy to update your phone, make sure you download apps from the official source or even buy a new phone to stay updated – although many small business struggle to find the time to do this.”
But some security threats are real
It can be a tough call for any businesses new to Android to try to distinguish between accurate information, spin and hyperbole. Even more so for small businesses who may lack IT know-how or time to verify the various claims. The danger is that that they will then dismiss all the warnings about these mega bugs as noise and hyperbole.
This can then lead to a chain reaction of complacency about what are, in reality, threats; a dismissal of warnings by experts as click-bait, a somewhat sluggish attitude to updating their Android software, security patches and antivirus no matter how easy it is to do.
The result? A greater chance business devices and data will become a victim of a mega bug, and ending up as a statistic on a Google executive’s power point presentation!
6 tips to help you tell fact from fiction
If you are concerned by a media report, or an IT vendor talking up a new cybersecurity risk, the first thing to do is, stop! Ask yourself some basic questions: what do they stand to gain if you agree with them or follow their advice? If there’s a product being sold to “solve” this “urgent and serious problem”, dig deeper into the claims:
- Have they explained their claims or how they came to their conclusions?
- Does that stand up to logic, reason and scrutiny?
- Can they provide references?
- Can you verify anything they are suggesting yourself?
- Are their claims supported by independent sources or an official authority?
- And importantly, does what they’re suggesting apply to the devices or software your business is using?
In the end, if you’re still worried about being fed hyperbole about mega bugs – or any cybersecurity threat for that matter – and you haven’t got the time to follow these steps, stick to trusted brands and official advice. You might not agree with everything they do or say, but it is less likely to be exaggerated and misleading.
Kidal Delonix is a contributor to Mr. Hoffman's blog. The views and opinions are entirely his/her own and may not reflect Mr Hoffman's views.
