The Worst Android Phone Hack Ever

How to Protect Yourself From The Stagefright Bug

Android Lollipop

Android phone users have already had their share of malware and hacks thrust upon them by hackers. Up until now, would-be victims would have to somehow infect themselves by doing something such as downloading an infected app, clicking a malicious link, opening a malicious attachment, etc.

The Stagefright Bug

This new mother-of-all Android vulnerabilities affects millions of Android devices worldwide, as many as 950 million devices, according to Zimperium. This new vulnerability is unique in that it doesn’t require victims to do anything in order to become infected. All that is needed is for them to receive a malicious MMS attachment and bingo, game over, the hacker can then “own” the phone. Hackers can even cover their tracks so that the victim doesn’t even know that they had been sent the malicious attachment.

How to Know If You're Vulnerable

This particular hack can potentially affect phones starting with version 2.2 (a.k.a Froyo) all the way up through newer version such as Android 5.1 (a.k.a Lollipop). There are various Stagefright vulnerability detection apps available on the Google Play app store, but you need to be careful and make sure you download one from a trusted source.

A safe bet would be to download the Stagefright detection app available from Zimperium (the firm who’s security researcher first discovered the vulnerability. This app won’t fix the issue but it should at least be able to tell you if you are vulnerable or not.  

If you’ve determined that you are vulnerable to the Stagefright bug then you can check with your carrier to determine if they have a patch available for your specific handset. If a patch isn’t available, you can still take some steps to mitigate the attack in the meantime.

What Can I do to Protect Myself?

There have been a couple of workarounds to help mitigate this risk. One is to change your message app to Google Hangouts and make it your default SMS app. You would then need to change the “Auto-retrieve MMS” messages to the “off” setting (uncheck the box).

This will allow you to at least screen incoming MMS messages. This doesn’t entirely solve the problem because opening a malicious MMS would still result in your phone getting hacked, but at least it lets you decide on whether or not to let and MMS through, instead of just leaving your phone wide-open to the attack.

The Hangouts / Stagefright Workaround:

  1. Open the settings app on Your Android phone.
  2. Under the “Phone” settings section, choose “Applications”.
  3. Touch the “Default Applications” option.
  4. Select the “Messages” setting and change from the currently selected  application to “Hangouts”. You should now see “Hangouts” underneath the “Messages” section of the default applications menu.
  5. Exit the “Settings” application.
  6. Open the Hangouts messaging app.
  7. Click the 3 vertical lines in the top left-hand corner of the screen.
  8. Select “Settings” from the menu that slides in from the left side of the screen.
  9. Tap “SMS” to enter Hangouts SMS settings area.
  10. Scroll down to the setting titled “Auto retrieve MMS” and uncheck the box next to this setting. Use the back button to exit the settings area once the box has been unchecked.

This workaround should only be a temporary fix and doesn’t prevent the vulnerability. It only adds a layer of user intervention which may keep the vulnerability from automatically affecting your phone.