ESET releases Stagefright app for Android

The application detects whether an Android device is vulnerable to Stagefright

Security firm ESET has launched a Stagefright detector application that can reveal whether your phone or tablet is vulnerable to the bug.

Although a number of device manufacturers have released patches for flaw, millions of handsets will remain susceptible to the bug because it is too difficult to fix holes in all devices.

Advertisement - Article continues below

"We recommend you to check with your vendor whether you already have a patch for your Android device," ESET said. "However, as we have seen this past week, even the patch could contain an additional bug. Therefore, we suggest you to check whether your device is vulnerable with the ESET Stagefright Detector App and stay alert for new information and if necessary request updates from your vendor to fix this issue.

The Stagefright flaw could affect up to 950 million Android phones, according to security firm Zimpherium, which first discovered the issue, and can be exploited simply by the attacker obtaining a target's phone number.

Then all they need to do is send a photo or video message to the target, an action that accesses an Android core component, also called Stagefright, which allows the malicious code contained within the MMS (multimedia messaging service) message to access a target's data and apps.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Google said it has patched the problem after Zimpherium notified the tech giant of the issue, but hundreds of millions of Android instances still require updating.

Those users may not receive the patch for some time because they are relying on Google, their phone's manufacturer and their mobile operator to make sure the the correct patch is issued for their particular version of the open source OS.

Additionally, the Stagefright bug actually comprises seven different vulnerabilities and manufacturers are finding it hard to keep up with the changes in the flaw. Although Google patched the original flaw, researchers from Exodus then found another flaw in the patch. Google has subsequently fixed this and announced it will be rolling out a fix for Nexus 4, 5, 6, 7, 9, 10 and Player users in its monthly security update that will launch next month.

Independent IT security analyst Graham Cluley wrote in a blog post: "Over-the-air updates for Android are notoriously hard to get hold of for some devices.

Advertisement - Article continues below

"Even if you *want* to upgrade the operating system on your Android phone or tablet you might not be able to, because an update is only going to be available for those devices with the assistance and goodwill of Google, the device's manufacturer and your mobile phone carrier."

He warned that older tablets and smartphones runing Android could be "left stranded".

David Kennerley, threat research manager at cyber security firm Webroot, pointed out the hack affects versions of Android from 2.2 Froyo to the latest, 5.1 Lollipop, and urged smartphone manufacturers to act as soon as possible.

"Most smartphone manufacturers will need to implement the new code into their own Android OS flavours," he said. "This means manufacturers are in complete control of when users will receives these critical updates. Past experience tells us some customers could be waiting a very long time possibility forever."

Advertisement
Advertisement - Article continues below

But customers can also manually reject updates, leaving themselves exposed to the threat, and Google has not yet widely issued its patch for the flaw.

Advertisement - Article continues below

ESET's Stagefright Detector can be found on Google Play.

Just how dangerous is Stagefright?

Joshua Drake the researcher who first discovered the Stagefright bug, claimed it is worse than Heartbleed, which attacks SSL encryption to steal usernames, passwords and documents without leaving any trace behind.

One reason for that is that it affects 95 per cent of all Android users, according to Drake, and, unlike typical phishing messages, the victim isn't required to do anything even open the message to get hacked.

"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponised successful attack could even delete the message before you see it. You will only see the notification," Zimpherium warned.

"This vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual with a trojaned phone," it added.

Advertisement - Article continues below

What happens now?

Google has said it is not aware of any Stagefright attacks so far, although that does not mean none have occurred.

While smartphone manufacturers are being urged to take action, Google must seize the initiative before hackers do, according to app security company Veracode.

Just after the public disclosure of the bug, Veracode's CISO and CTO Chris Wysopal said: "It will be very interested to see how Google responds to this. They'll have to drive the patch quickly and in a manner that impacts every affected device at the same time.

"Waiting for handset manufacturers or carriers to issue a patch would be problematic since it could take a month or more before each party issues a patch."

Such delays would provide attackers with ample time to hit back, Wysopal claimed.

"This would leave a big window for an attacker to reverse engineer the first patch issued by whichever party to create an exploit that would impact any device," he warned. "We're likely to see Google force down a tool that addresses the vulnerability for everyone."

This article was originally written in July 2015 but has been subsequently updated with the latest information.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/software/video-conferencing/356448/google-meets-preventing-zoombombing-fueled-class-cancellations
video conferencing

Google Meet update to help prevent Zoom-bombing-fueled class cancellations

14 Jul 2020
Visit/business/policy-legislation/356416/dems-ask-facebook-google-and-twitter-for-coronavirus
Policy & legislation

Dems ask Facebook, Google and Twitter for coronavirus disinformation reports

10 Jul 2020
Visit/business/policy-legislation/356413/california-launching-google-antitrust-probe
Policy & legislation

California launching Google antitrust probe

10 Jul 2020
Visit/mobile/google-android/356398/google-maps-is-testing-traffic-lights
Google Android

Google Maps is testing traffic lights

9 Jul 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/business-strategy/careers-training/356422/ibm-job-ad-calls-for-12-year-experience-with-6-year-old
Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020