Last week, the world learned about critical vulnerabilities in Stagefright, an open source media player used by 95 percent of Android devices, or roughly one billion devices worldwide. In addition to the sheer number of people that are likely at risk, this vulnerability is especially scary because if it can be delivered via MMS (which is automatically downloaded to the device by default), the code can remotely execute on your device without you actually doing anything. It would then have unfettered access to the camera, microphone, contacts, and photos – very personal stuff.
Now the real kicker. You will need to wait for a pending security update from your carrier, device manufacturer or Google to ultimately patch this vulnerability and be completely safe. To check if a patch is available for most Android devices, go to Settings and click System Updates.
That’s why we’ve developed Stagefright Detector
. This app arms you with information by telling you whether or not your Android device is vulnerable to Stagefright. If you are affected, we provide the run-down on how to mitigate your risk of being attacked. You’ll also be able to check back in when you receive your security patch to confirm it contained the fix for Stagefright.
How Lookout’s Stagefright Detector works
Once downloaded, the app checks to see if you have a vulnerable version of the media player. The app will inform you if a) you’re not vulnerable or your device has already been patched, or b) you’re vulnerable and your device has not yet been patched.
What to do if your device is vulnerable
Within Stagefright Detector, Lookout provides detailed instructions on disabling the auto-fetching of MMS messages in your default messaging app. Depending on your phone, this app may be “Hangouts,” “Messages,” “Messaging,” or “Messenger.” By disabling this functionality, you prevent an attacker from getting the device to automatically download a malicious video containing Stagefright exploits.
You can also find these instructions in Lookout’s blog here
While these instructions will make it harder for a device to be exploited via MMS, Lookout encourages Android users to exercise caution when viewing videos displayed on untrusted websites or included in messages from unknown senders. We’d be remiss to not also advise that you download a security app, like Lookout, that can protect you if the vulnerability is exploited to deliver malware to your device.
Stagefright Detector is not meant to fix this vulnerability, as the vulnerability will need to be patched by Google or your device manufacturer. Stagefright Detector is only meant to keep you informed about your level of risk. Stagefright Detector is a project of the Labs division of Lookout, Inc. The goal of Lookout Labs is to explore new ideas and push the boundaries of mobile apps. Labs projects are experimental by nature, and may only be available for a limited time.