ESET releases Stagefright app for Android

The rear of an Android smartphone including its camera

Security firm ESET has launched a Stagefright detector application that can reveal whether your phone or tablet is vulnerable to the bug.

Although a number of device manufacturers have released patches for flaw, millions of handsets will remain susceptible to the bug because it is too difficult to fix holes in all devices.

"We recommend you to check with your vendor whether you already have a patch for your Android device," ESET said. "However, as we have seen this past week, even the patch could contain an additional bug. Therefore, we suggest you to check whether your device is vulnerable with the ESET Stagefright Detector App and stay alert for new information and if necessary request updates from your vendor to fix this issue.

The Stagefright flaw could affect up to 950 million Android phones, according to security firm Zimpherium, which first discovered the issue, and can be exploited simply by the attacker obtaining a target's phone number.

Then all they need to do is send a photo or video message to the target, an action that accesses an Android core component, also called Stagefright, which allows the malicious code contained within the MMS (multimedia messaging service) message to access a target's data and apps.

Google said it has patched the problem after Zimpherium notified the tech giant of the issue, but hundreds of millions of Android instances still require updating.

Those users may not receive the patch for some time because they are relying on Google, their phone's manufacturer and their mobile operator to make sure the the correct patch is issued for their particular version of the open source OS.

Additionally, the Stagefright bug actually comprises seven different vulnerabilities and manufacturers are finding it hard to keep up with the changes in the flaw. Although Google patched the original flaw, researchers from Exodus then found another flaw in the patch. Google has subsequently fixed this and announced it will be rolling out a fix for Nexus 4, 5, 6, 7, 9, 10 and Player users in its monthly security update that will launch next month.

Independent IT security analyst Graham Cluley wrote in a blog post: "Over-the-air updates for Android are notoriously hard to get hold of for some devices.

"Even if you *want* to upgrade the operating system on your Android phone or tablet you might not be able to, because an update is only going to be available for those devices with the assistance and goodwill of Google, the device's manufacturer and your mobile phone carrier."

He warned that older tablets and smartphones runing Android could be "left stranded".

David Kennerley, threat research manager at cyber security firm Webroot, pointed out the hack affects versions of Android from 2.2 Froyo to the latest, 5.1 Lollipop, and urged smartphone manufacturers to act as soon as possible.

"Most smartphone manufacturers will need to implement the new code into their own Android OS flavours," he said. "This means manufacturers are in complete control of when users will receives these critical updates. Past experience tells us some customers could be waiting a very long time possibility forever."

But customers can also manually reject updates, leaving themselves exposed to the threat, and Google has not yet widely issued its patch for the flaw.

ESET's Stagefright Detector can be found on Google Play.

Just how dangerous is Stagefright?

Joshua Drake the researcher who first discovered the Stagefright bug, claimed it is worse than Heartbleed, which attacks SSL encryption to steal usernames, passwords and documents without leaving any trace behind.

One reason for that is that it affects 95 per cent of all Android users, according to Drake, and, unlike typical phishing messages, the victim isn't required to do anything even open the message to get hacked.

"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponised successful attack could even delete the message before you see it. You will only see the notification," Zimpherium warned.

"This vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual with a trojaned phone," it added.

What happens now?

Google has said it is not aware of any Stagefright attacks so far, although that does not mean none have occurred.

While smartphone manufacturers are being urged to take action, Google must seize the initiative before hackers do, according to app security company Veracode.

Just after the public disclosure of the bug, Veracode's CISO and CTO Chris Wysopal said: "It will be very interested to see how Google responds to this. They'll have to drive the patch quickly and in a manner that impacts every affected device at the same time.

"Waiting for handset manufacturers or carriers to issue a patch would be problematic since it could take a month or more before each party issues a patch."

Such delays would provide attackers with ample time to hit back, Wysopal claimed.

"This would leave a big window for an attacker to reverse engineer the first patch issued by whichever party to create an exploit that would impact any device," he warned. "We're likely to see Google force down a tool that addresses the vulnerability for everyone."

This article was originally written in July 2015 but has been subsequently updated with the latest information.