San Francisco-based mobile security software maker Lookout has released a new piece of software called the “Stagefright Detector” which claims to detect if the multimedia library in a user’s Android device has been patched or if it is still vulnerable to security threats from remote attackers because of a major security flaw found in the software. The app can be downloaded from Google Play as of Wednesday and it aims to warn users of a possible attack through a multimedia message send to their phones by a remote attacker. The app also happens to guide users through disabling MMS auto-retrieval on their phones’ default messaging app. The company says that, “By disabling this functionality, you prevent an attacker from getting the device to automatically download a malicious video containing Stagefright exploits”.
Users will do well to recognize that the app is in no way, shape or form a patch or a safeguard of any sort against an attack that seeks to exploit the Stagefright vulnerability. The only ones who can actually push through those security patches are manufacturers and carriers, depending on whether you’re using an unlocked device or a carrier-locked one. You can go to Settings > System Updates to manually check if your carrier or manufacturer is rolling out an update to patch the vulnerability, although thus far, Sprint and AT&T have reportedly patched only a handful of devices, while Google has already pushed out patches for its Nexus 5 and Nexus 6 smartphones.
For the uninitiated, late last month, Zimperium zLabs publicly announced a vulnerability found in the Stagefright multimedia library of Google’s Android, which potentially left millions of unpatched devices running recent versions of Android from Lollipop going right back to Froyo, vulnerable to attacks from hackers who’d need only a user’s phone number to execute their attack. Such attacks could potentially compromise the security and privacy by allowing hackers access to users’ photos, videos, music etc. The multiple CVE identifiers the bug has been provided with, are collectively being called the Stagefright bug. Coming back to the app released by Lookout, the company includes a disclaimer about its app, which states, “Stagefright Detector is not meant to fix this vulnerability, as the vulnerability will need to be patched by Google or your device manufacturer. Stagefright Detector is only meant to keep you informed about your level of risk”.