ESET releases Stagefright app for Android

The application detects whether an Android device is vulnerable to Stagefright

Security firm ESET has launched a Stagefright detector application that can reveal whether your phone or tablet is vulnerable to the bug.

Although a number of device manufacturers have released patches for flaw, millions of handsets will remain susceptible to the bug because it is too difficult to fix holes in all devices.

Advertisement - Article continues below

"We recommend you to check with your vendor whether you already have a patch for your Android device," ESET said. "However, as we have seen this past week, even the patch could contain an additional bug. Therefore, we suggest you to check whether your device is vulnerable with the ESET Stagefright Detector App and stay alert for new information and if necessary request updates from your vendor to fix this issue.

The Stagefright flaw could affect up to 950 million Android phones, according to security firm Zimpherium, which first discovered the issue, and can be exploited simply by the attacker obtaining a target's phone number.

Then all they need to do is send a photo or video message to the target, an action that accesses an Android core component, also called Stagefright, which allows the malicious code contained within the MMS (multimedia messaging service) message to access a target's data and apps.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Google said it has patched the problem after Zimpherium notified the tech giant of the issue, but hundreds of millions of Android instances still require updating.

Those users may not receive the patch for some time because they are relying on Google, their phone's manufacturer and their mobile operator to make sure the the correct patch is issued for their particular version of the open source OS.

Additionally, the Stagefright bug actually comprises seven different vulnerabilities and manufacturers are finding it hard to keep up with the changes in the flaw. Although Google patched the original flaw, researchers from Exodus then found another flaw in the patch. Google has subsequently fixed this and announced it will be rolling out a fix for Nexus 4, 5, 6, 7, 9, 10 and Player users in its monthly security update that will launch next month.

Independent IT security analyst Graham Cluley wrote in a blog post: "Over-the-air updates for Android are notoriously hard to get hold of for some devices.

Advertisement - Article continues below

"Even if you *want* to upgrade the operating system on your Android phone or tablet you might not be able to, because an update is only going to be available for those devices with the assistance and goodwill of Google, the device's manufacturer and your mobile phone carrier."

He warned that older tablets and smartphones runing Android could be "left stranded".

David Kennerley, threat research manager at cyber security firm Webroot, pointed out the hack affects versions of Android from 2.2 Froyo to the latest, 5.1 Lollipop, and urged smartphone manufacturers to act as soon as possible.

"Most smartphone manufacturers will need to implement the new code into their own Android OS flavours," he said. "This means manufacturers are in complete control of when users will receives these critical updates. Past experience tells us some customers could be waiting a very long time possibility forever."

Advertisement
Advertisement - Article continues below

But customers can also manually reject updates, leaving themselves exposed to the threat, and Google has not yet widely issued its patch for the flaw.

Advertisement - Article continues below

ESET's Stagefright Detector can be found on Google Play.

Just how dangerous is Stagefright?

Joshua Drake the researcher who first discovered the Stagefright bug, claimed it is worse than Heartbleed, which attacks SSL encryption to steal usernames, passwords and documents without leaving any trace behind.

One reason for that is that it affects 95 per cent of all Android users, according to Drake, and, unlike typical phishing messages, the victim isn't required to do anything even open the message to get hacked.

"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponised successful attack could even delete the message before you see it. You will only see the notification," Zimpherium warned.

"This vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual with a trojaned phone," it added.

Advertisement - Article continues below

What happens now?

Google has said it is not aware of any Stagefright attacks so far, although that does not mean none have occurred.

While smartphone manufacturers are being urged to take action, Google must seize the initiative before hackers do, according to app security company Veracode.

Just after the public disclosure of the bug, Veracode's CISO and CTO Chris Wysopal said: "It will be very interested to see how Google responds to this. They'll have to drive the patch quickly and in a manner that impacts every affected device at the same time.

"Waiting for handset manufacturers or carriers to issue a patch would be problematic since it could take a month or more before each party issues a patch."

Such delays would provide attackers with ample time to hit back, Wysopal claimed.

"This would leave a big window for an attacker to reverse engineer the first patch issued by whichever party to create an exploit that would impact any device," he warned. "We're likely to see Google force down a tool that addresses the vulnerability for everyone."

This article was originally written in July 2015 but has been subsequently updated with the latest information.

Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355210/cyber-criminals-torn-over-how-to-adapt-to-post-coronavirus-threat
cyber security

Hackers torn over how to adapt their tactics to the coronavirus pandemic

3 Apr 2020
Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020

Most Popular

Visit/security/privacy/355211/google-releases-location-data-to-showcase-effectiveness-of-coronavirus
privacy

Google releases location data to show effectiveness of coronavirus lockdowns

3 Apr 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

2 Apr 2020