If you have an Android smartphone you are probably vulnerable to a security bug that could allow anyone to take over your phone using just a multimedia message.

For users there’s not a lot you can do. The bug, called Stagefright, affects the multimedia handling capabilities of every Android smartphone using the mobile operating system, of which there are over 1bn in circulation.

It has been described as “Heartbleed for mobile”– after the major vulnerability that affected desktop computers – by security experts and has prompted Google, Samsung and LG to promise regular monthly security updates.

After being notified about Stagefright in April, it was fixed by Google in the open-source version of Android (AOSP) in July, but was not pushed out to other smartphones such as Google’s Nexus line of devices.

Most updates for Android are passed from Google to device manufacturers such as Samsung and then on to mobile phone operators before being pushed out to customers.

That long chain has meant that the vast majority of Android smartphones have not been updated.

But now an app has been released by a mobile security company, Zimperium, that specifically checks to see whether the Android device it is installed on is vulnerable to the bug or whether it has been updated already.

The free app, called Stagefright Detector App, performs six checks for the bug and reports back. Users who are using a vulnerable device are advised to disable multimedia messaging (MMS) and to be careful about opening messages sent to them by unknown contacts.

• Stagefright: new Android vulnerability dubbed ‘heartbleed for mobile’