If Stagefright sounds like a scary name, that’s because it is. Stagefright might just be the biggest exploit yet to have been discovered in Android. It stretches back to Android 2.2 Froyo, affects a vast majority of Android phones (around 900 million) and works via MMS. The recipient, in this case, doesn’t need to do anything. If they’re using Hangouts or the default Messaging app, the app will automatically download and process the MMS for playback. And that’s all the exploit needs to infiltrate your phone.
Stagefright is a core library in Android used to play multimedia files like MP4 videos. The reason Stagefright is so scary is because it makes the process of sending malicious code to an Android phone really easy. This malicious code can be anything the hacker wants it to be. Here’s a video of how the exploit works.
How to Check the Vulnerability of Your Device
Google has already patched the bug in the latest Android release (so if you’re using the flagship Samsung and Moto phones, you should be fine), but the problem is that not everyone is always running the latest version of Android. You’ll need to rely on the manufacturer to push an update.
The company that exposed the bug, Zimperium, has also released a simple app, Stagefright Detector, for testing if your phone is vulnerable. Just download the app and start the test. In a couple of seconds you’ll have your answer.
If you’re vulnerable, keep an eye out for the latest updates and upgrade as soon as possible.
Also, try the following solutions.
How to Protect Yourself from Stagefright
Unfortunately, because Stagefright is so deeply embedded in Android OS, there’s no tool to just disable the feature. Instead, we’ll need to use workarounds.
We know that the exploit is only activated when the MMS is downloaded automatically on your device. Let’s disable that feature.
Hangouts: if you’re using Hangouts for SMS, tap the “Hamburger” menu, select “Settings -> SMS” and uncheck the “Auto-retrieve MMS” option.
Messenger by Google: if you’re using Google’s Messenger app, tap the three-dotted-menu button and select “Settings.” Go to “Advanced” and disable the “Auto-retrieve” option.
Messaging: If you’re using an older version of Android, it probably came with the Messaging app installed. Tap the “Menu” button, then “Settings”, find the “Multimedia (MMS) messages” section and uncheck “Auto-retrieve.”
No matter which SMS app you’re using, there should be this option somewhere in the settings. Look for it and disable it.
If you’re really paranoid, you can just disable text messages from unknown contacts if your SMS app supports the feature.
Now the app will no longer auto download MMS.
If you live in an area where MMS messages are still prevalent, just don’t open the MMS messages from people you don’t know.
This is your best defense right now – that is until you get the patched update. If you want to take matters into your own hands, you can just root your phone and install CyanogenMod (or other CM-based ROMs) to make sure you get prompt security updates. CM has already fixed the bug in the nightly version, and it should be out in the stable release soon.
The Android Security Debate
The Stagefright bug has once again kicked off the Android security debate. Do you think Android is less secure than iOS? Or is it just the price you pay for a free and open-source core OS that runs on more than a billion different devices? Share your views in the comments below.