Check your Android Smartphone security status

IO.Hazard · 28. Dec 2015, 03:50 AM

Android has a lot (really, A LOT) of severe security issues that could compromise your phone and data. The Android VTS tool has been out for some time, and the latest version will help you in detecting all system vulnerabilities (known as CVEs). That's the good news.

The bad news is it won't patch nor fix them since that's the work of your phone's vendor, meaning there are little chances you'll get them solved unless you a have recent flagship device.

The app was pulled from the PlayStore some weeks ago (maybe because it was a direct hit at Google), but can still be downloaded from the official GitHub page:

https://github.com/nowsecure/android-vts/releases

Even though my phone is running Lollipop 5.1.1, the app detected 5 vulnerabilities, which confirms that having the "latest" android version doesn't mean your phone is protected.

Sope · 28. Dec 2015, 12:52 PM

Interesting thanks.

What is your view of the VirusTotal scan of the Android VTS Tool, anything to worry about??

Anupam · 28. Dec 2015, 01:08 PM

Android Lollipop is not the latest, to be correct. Android Marshmallow is the latest version.

And with this release of the OS, Google and other vendors have decided to release monthly stability and security patches for the OS, which is quite a good decision, keeping in mind the security.

I have a Nexus 5, and it has been receiving these monthly updates.

However, yes, when the vendor decides not to release any more updates for that device, then it's a problem.

IO.Hazard · 28. Dec 2015, 08:20 PM

Quote:

Originally Posted by Sope

What is your view of the VirusTotal scan of the Android VTS Tool, anything to worry about??

Nothing to worry about. The app uses the same procedure a malicious tool would (in this case the infamous Stagefright vulnerability) but only to explore if the phone is vulnerable or not. It will not tamper with your phone in any way. The VTS Tool is open-source, so anyone can audit the code and report possible backdoors.

@Anupam,

Yes, you're right. Android M (6.0.1 to be more specific) is the latest version of Android, but is only available for some Nexus and Pure Edition devices, which are controlled by Google. The rest of devices are running Android JellyBean, KitKat or Lollipop at best, and only some lucky ones are to receive the 6.0.1 update in January or February.

As for the monthly stability and security patches, once again the Nexus series seems to be the only one receiving them through the "Android Security Bulletin Monthly Release". Although Motorola, LG, and Samsung were the first vendors to jump in, only users with the more expensive phones have seen the so-called monthly updates, if any. (Source)

According to the latest official Android distribution figures (December 2015), Android M just hit the 0,5% mark (very low), while Lollipop reached the 29,5% and KitKat still dominates with a solid 36,6%. Even the dated JellyBean, with all its variations, has a 26,9% distribution share.

If Lollipop 5.1.1 had 5 vulnerabilities out of 26 possible, I wonder how the lower, older versions, would fare against the VST tool.

Sope · 28. Dec 2015, 08:27 PM

Quote:

Originally Posted by IO.Hazard

Nothing to worry about. The app uses the same procedure a malicious tool would (in this case the infamous Stagefright vulnerability) but only to explore if the phone is vulnerable or not. It will not tamper with your phone in any way. The VTS Tool is open-source, so anyone can audit the code and report possible backdoors.

Thanks for that.

Anupam · 29. Dec 2015, 09:24 AM

Good points IO.Hazard. And quite some points of concern there for the end users. First, they have to wait a really long time for any update, and then security patches being provided only to flagship devices is just not fair.

Sope · 29. Dec 2015, 10:26 AM

My phone running ICS 4.0.9 has 14 vulnerabilities according to the VTS Tool

I am looking to upgrade soon (long overdue

) but it sounds like that still won't guarantee reliable security. Not that I've ever trusted using my phone for sensitive stuff like online banking and such.

UserError · 22. Jan 2016, 05:01 AM

Just installed the app from the official link. My phone is on KitKat 4.4.4 and 10 vulnerabilities were detected, too bad. All of them are 'serious' and my phone is stuck with this android version.

Google should have implemented 'granular system updates' the same way it did with the permissions. That way you could patch the system without the need of big, updated firmwares.

BTW, this screen got my attention during the installation:

Is that a confirmation that antivirus apps are just a waste internal storage, battery life, and other valuables system resources? If a serious developer like this one states this, I think I should listen to him.

Burn-IT · 23. Jan 2016, 12:00 AM

Using your phone makes you less secure! Fact
But that comment may actually be true under many circumstances.

Relying on AV to keep your phone safe is not a good idea. You should still be careful what sites you visit.
AV will help to reduce the likelihood of getting a virus by accident, but if you visit iffy sites then it won't stop al of them.

trainman261 · 23. Jan 2016, 03:26 PM

I'll jump in on the whole antivirus thing - and I'll go out on a limb and say it's not necessary. Here's why:
1. Android already has a certain security mechanism built-in - it does, as far as I know, scan apps when they are installed.
2. If you stick to the Google Play Store or another reliable app store, you should be fine when it comes to avoiding viruses, if you take a look at what you download and don't just download an app from a random developer with 100 downloads and 10 bad reviews.
3. You can't run APKs on Android the way you can run EXEs on a Windows computer. On a Windows computer, any EXE can run without being installed, and it has access to a lot of stuff, if it wants to access it, even without administrator privileges. On the other hand, an APK can't run without being installed - and when it is installed, it's not the APK providing the installation interface, it's the system (which is why there aren't all the problems with installer crapware on Android), so the user explicitly presses the install button, which is right under the list of permissions it will get if installed - and the app will only be able to use those services. The only way it can get around that is by using an exploit - which is where the whole topic started - but at that point, it shouldn't have a problem getting around the antivirus either, especially since antivirus on Android doesn't have quite the capabilities of Antivirus on Windows, for example.

28. Dec 2015, 03:50 AM	#1 (permalink)
IO.Hazard Senior Member Join Date: Aug 2012 Posts: 192	Check your Android Smartphone security status Android has a lot (really, A LOT) of severe security issues that could compromise your phone and data. The Android VTS tool has been out for some time, and the latest version will help you in detecting all system vulnerabilities (known as CVEs). That's the good news. The bad news is it won't patch nor fix them since that's the work of your phone's vendor, meaning there are little chances you'll get them solved unless you a have recent flagship device. The app was pulled from the PlayStore some weeks ago (maybe because it was a direct hit at Google), but can still be downloaded from the official GitHub page: https://github.com/nowsecure/android-vts/releases Even though my phone is running Lollipop 5.1.1, the app detected 5 vulnerabilities, which confirms that having the "latest" android version doesn't mean your phone is protected.

28. Dec 2015, 01:08 PM	#3 (permalink)
Anupam Super Moderator Join Date: Jul 2008 Location: India Posts: 15,274	Android Lollipop is not the latest, to be correct. Android Marshmallow is the latest version. And with this release of the OS, Google and other vendors have decided to release monthly stability and security patches for the OS, which is quite a good decision, keeping in mind the security. I have a Nexus 5, and it has been receiving these monthly updates. However, yes, when the vendor decides not to release any more updates for that device, then it's a problem. __________________ Anupam

29. Dec 2015, 09:24 AM	#6 (permalink)
Anupam Super Moderator Join Date: Jul 2008 Location: India Posts: 15,274	Good points IO.Hazard. And quite some points of concern there for the end users. First, they have to wait a really long time for any update, and then security patches being provided only to flagship devices is just not fair. __________________ Anupam

22. Jan 2016, 05:01 AM	#8 (permalink)
UserError Full Member Join Date: Jun 2014 Location: Light of the South Posts: 40	Just installed the app from the official link. My phone is on KitKat 4.4.4 and 10 vulnerabilities were detected, too bad. All of them are 'serious' and my phone is stuck with this android version. Google should have implemented 'granular system updates' the same way it did with the permissions. That way you could patch the system without the need of big, updated firmwares. BTW, this screen got my attention during the installation: Is that a confirmation that antivirus apps are just a waste internal storage, battery life, and other valuables system resources? If a serious developer like this one states this, I think I should listen to him. __________________ Error Code 42: User Error. It's not our damn fault!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

28. Dec 2015, 12:52 PM	#2 (permalink)
Sope Senior Member Join Date: Feb 2009 Location: Wales, UK Posts: 1,174	Interesting thanks. What is your view of the VirusTotal scan of the Android VTS Tool, anything to worry about??

29. Dec 2015, 10:26 AM	#7 (permalink)
Sope Senior Member Join Date: Feb 2009 Location: Wales, UK Posts: 1,174	My phone running ICS 4.0.9 has 14 vulnerabilities according to the VTS Tool I am looking to upgrade soon (long overdue ) but it sounds like that still won't guarantee reliable security. Not that I've ever trusted using my phone for sensitive stuff like online banking and such.

23. Jan 2016, 12:00 AM	#9 (permalink)
Burn-IT Senior Member Join Date: May 2010 Posts: 549	Using your phone makes you less secure! Fact But that comment may actually be true under many circumstances. Relying on AV to keep your phone safe is not a good idea. You should still be careful what sites you visit. AV will help to reduce the likelihood of getting a virus by accident, but if you visit iffy sites then it won't stop al of them.

23. Jan 2016, 03:26 PM	#10 (permalink)
trainman261 Editor (Android) Join Date: Jan 2012 Posts: 224	I'll jump in on the whole antivirus thing - and I'll go out on a limb and say it's not necessary. Here's why: 1. Android already has a certain security mechanism built-in - it does, as far as I know, scan apps when they are installed. 2. If you stick to the Google Play Store or another reliable app store, you should be fine when it comes to avoiding viruses, if you take a look at what you download and don't just download an app from a random developer with 100 downloads and 10 bad reviews. 3. You can't run APKs on Android the way you can run EXEs on a Windows computer. On a Windows computer, any EXE can run without being installed, and it has access to a lot of stuff, if it wants to access it, even without administrator privileges. On the other hand, an APK can't run without being installed - and when it is installed, it's not the APK providing the installation interface, it's the system (which is why there aren't all the problems with installer crapware on Android), so the user explicitly presses the install button, which is right under the list of permissions it will get if installed - and the app will only be able to use those services. The only way it can get around that is by using an exploit - which is where the whole topic started - but at that point, it shouldn't have a problem getting around the antivirus either, especially since antivirus on Android doesn't have quite the capabilities of Antivirus on Windows, for example.