Technology with attitude

NowSecure’s Android Vulnerability Test Suite Has Been Removed From The Play Store


Google’s official Android market was released in 2008 and currently, it houses over 600,000 applications and other content supported by the Android smartphones and tablets. There are lots of developers who created applications and games using Android SDK, then they’ve published their work on the Google Play store. There was an application called VTS from NowSecure which assisted the users in discovering if their devices have been affected by/or patched for/a vulnerability. Unfortunately, this application has been removed by Google, but VTS can still be downloaded from the APK Mirror and GitHub.

When Google releases new updates, the patches reach the Nexus devices at first, and it takes longer for the other smartphone owners to get them. The other manufacturers need time to identify vulnerabilities and to provide patches, then to push them to users, but these patches must be passed through OEMs and carriers, so it can take months until they are pushed live.

NowSecure has created the Vulnerability Test Suite for Android, which scans the phone and lists the status, if the device is affected by a vulnerability, or if the vulnerability was patched.

VTS checks for: CVE-2011 1149 / PSNueter / Ashmem Exploit; CVE-2013-6282 / put/get_user; CVE-2014-3153 / Futex bug / Towelroot; CVE-2014-3847 / WeakSauce
CVE-2014-4943 / L2TP; CVE-2015-1528 / GraphicsBufferOverflow; CVE-2015-3636 / PingPong root; Jar Bug 13678484 / Android FakeID; Samsung WifiCredService remote code execution; Stagefright bugs; StumpRoot; x509 Serialization bug; ZipBug 8219321 / Master keys; ZipBug 9695860 and ZipBug 9950697. So, when the issue is detected, VTS informs you and it provides a description of the problem.

Unfortunately, the developers had the unpleasant surprise to receive an email from Google’s representatives that their application has been removed from the Play store. “Applications which cross a security boundary to perform a security test are prohibited from Google Play. After review, we found that the ping_pong.c, futex_exploit_che ck.c and tests crossed a security boundary to perform their tests, probing either the kernel or system_server/vold” was Google’s explanation.

VTS obtained 4.2 stars from the users and it had 50k-100k downloads before it was removed on Money.