VTS scans Android devices for publicly-known vulnerabilities
Vulnerability Test Suite (VTS) is a free application for Android that scans devices running the operating system for publicly-disclosed vulnerabilities.
Publicly-disclosed vulnerabilities remain a threat months or even years after disclosed due to how patches are delivered to user systems.
Once Google has created a patch for a disclosed vulnerability, it is up to the device manufacturer to implement it and either make it available directly or submit it to carriers for another round of testing before the updates are made available to customers.
There is no universal update system available that would deliver the patches directly to customer systems, or one where customers could download patches for their devices directly.
The Android Vulnerability Test Suite checks the device for known vulnerabilities, and lists them in its interface afterwards.
The application uses checks that won't cause notable system instabilities or other issues, and takes only a moment to scan the system for these vulnerabilities.
Vulnerabilities that it can detect include Stagefright, various Zip bugs or StumpRoot. A full list of supported vulnerabilities is provided on the project's Github project page.
All checks are listed with a name, short description and whether the device is vulnerable or not. A show details button opens an overlay with additional information, including links to web pages with more information and patches if already available.
A tap on a link opens it in the default system browser. The only options provided besides that are to export the results or to share them.
The application informs you about vulnerabilities, but there is little that you can do if vulnerabilities are discovered even if a patch is available.
While you may sometimes change how you use the device to avoid falling victim to an attack targeting a specific vulnerability, that may not always be possible depending on the vulnerabilities.
You could contact the device manufacturer and carrier to get them to react to vulnerabilities more quickly, or install a third-party modification or custom ROM that takes care of that if available.
Closing Words
The Vulnerability Test Suite is a useful Android application that scans the device for know vulnerabilities. It can be reassuring if no unpatched vulnerabilities are discovered, but also helpful if you know about existing vulnerabilities as you may be able to do something about them then (thanks Imu).
Now You: Did the app find any vulnerabilities on your device?
Gave it a try on a Nexus 7 (2013) Android 6…most of the things it checked for were pretty old….Android 4.x days…
Interesting though…wonder what payload it dropped on me…LOL…
Nice find Martin – ran it on my Sony st26i . 10 vulnerabilities yet the Update Centre on the phone shows the system as up to date. Lack of a proper updating system is a major issue for Android – I think I would have second thoughts about another Android when the time to change comes. Apple may be more expensive but at least the updating is centralised, not sure how Windows phone works with updates – presumably it also has centralised updating ?
Interesting that Avast for Android indicates that this app contains malware …
Thanks for sharing info about the VTS, Martin. We really appreciate it here at NowSecure.
@johnoo The VTS probes your device for vulnerabilities, so we see a lot of virus scanners flag the app. We promise the app isn’t malicious and welcome you to look into the Github repo to see all of the discussions around the app and future goals.
It appears as though it is no longer available on the play store.