UPDATE: Google removed Android VTS from Google Play. For more information see our blog post “Appealing Google Play’s Suspension of the VTS for Android App.” We continue to distribute the app via GitHub.
Six weeks ago, NowSecure announced the Android Vulnerability Test Suite (Android VTS). Driven by Security Researcher Ryan Welton (@fuzion24), the open source tool is designed to check for vulnerabilities on an Android device to give users the status of potential vulnerabilities.
Let’s Talk About Patches
We wanted to bring forth a discussion around the cadence of patches in the Android operating system. Nexus devices receive patches the quickest since they are closest to a pure version of Android, but significant time often exists between identifying vulnerabilities, providing a patch, and pushing the patch to users, even on pure Android devices. Patches which have to be passed through both OEMs and carriers usually take even longer, months and sometimes a year, to be pushed live. Frequently, OEMs or carriers choose not to patch devices. This timeframe, or lack of a patch, leaves users vulnerable to attacks and susceptible to the loss of sensitive data from leaky apps.
We created the Android VTS for the purpose of assisting you in discovering if your device is affected by – or patched for – a vulnerability.
After receiving contributions from researchers and other interested members of the community, the vulnerability tester
is now available on the Google Play Store under the name VTS for Android was at one time available on Google Play, but has since been removed. We will continue to update this application as new mobile vulnerabilities are released. If you would like to contribute, please do so in our github repo.
The Android VTS currently checks for the following:
- CVE-2011 1149 / PSNueter / Ashmem Exploit
- CVE-2013-6282 / put/get_user
- CVE-2014-3153 / Futex bug / Towelroot
- CVE-2014-3847 / WeakSauce
- CVE-2014-4943 / L2TP
- CVE-2015-1528 / GraphicsBufferOverflow
- CVE-2015-3636 / PingPong root
- Jar Bug 13678484 / Android FakeID
- Samsung WifiCredService remote code execution
- Stagefright bugs
- x509 Serialization bug
- ZipBug 8219321 / Master keys
- ZipBug 9695860
- ZipBug 9950697
Benefitting The Security Research Community
The goal of the Android VTS has always been to educate users about the health of their devices. At the same time, we want the security research community to benefit from this important data. If we all better understand where the problems are, the community has a better chance to address them. NowSecure is guided by a Rrising tide lifts all boatsS mentality, and we believe this tool is a part of that principle.
In the future, the VTS will offer users a clear opportunity to opt in and share their results with the greater community. We want this action to be transparent. Then, as data is shared, mobile devices become more secure.
To download the Android VTS from the Google Play Store, click here.