Home / Opinions / Android Stagefright Bug: What is it and how can you protect your phone?

Android Stagefright Bug: How can you protect your phone?

by

Stagefright

What is Android Stagefright? We explain how the messaging bug works and what you can do to make sure your Android phone doesn't get infected

Mobile security is a hot topic right now, as the rapid rise in smartphone adoption is matched by instances of malicious software.

Of particular concern at the moment is the emergence of the Stagefright bug, which leaves some 950 million Android phones vulnerable to remote exploitation.

Towards the end of July, a researcher named Joshua Drake from security firm Zimperium uncovered the so-called Stagefright exploit. This preys on a number of software vulnerabilities found in a specific portion of the Android OS, and it doesn't require special skills to implement.

Here's everything you need to know about the Stagefright bug, including some tips on how to counteract it.

What is is Stagefright?

Stagefright is an exploit that capitalises on vulnerabilities within the software that Google's Android OS uses to process, play and record multimedia files.

The vulnerability can be initiated through the sending of a simple picture message, and it can also make its way onto a device simply by landing on a webpage containing affected embedded video content.

Once an Android device has been infected by Stagefright, a hacker can remotely access the device's microphone, camera, and external storage. In come cases, they can even gain root access to the device.

Related: Best smartphones 2015

Google Play

Which phones are affected?

The bad news here is that virtually all Android devices are susceptible to the Stagefright exploit. It affects phones running on Android 2.2 and above, which means pretty much every Android phone still in operation today.

In fact, at the time of its discovery a couple of weeks ago, it was estimated that roughly 95 percent of Android phones in use today are at risk.

Drake believes this could equate to 950 million vulnerable Android devices around the world.

What's being done about it?

Fortunately, Google has known about Stagefright for some time. Drake let the company know about it back in April, as well as providing the search giant with a patch of his own making.

Google, for its part, instantly applied the fix to its Android code base. The trouble is, as every Android fan knows, it takes an absolute age for updates to make their way to the entire Android ecosystem - hence that 95 percent vulnerability figure listed above.

This is down to the fact that, despite creating Android, Google isn't responsible for the rollout of core updates to the vast majority of the Android smartphones on the market. That's down to the manufacturers and the network operators they work with.

Google has been able to provide a fix to all Nexus devices from the Nexus 4 onwards, and will continue to send out monthly security updates from now on.

LG and Samsung have followed in line, pledging to work with network operators to implement updates that will eradicate the Stagefright exploit.

Motorola, too, has revealed that it will be updating its entire modern range (so effectively from the first generation Moto X era onwards), with carriers set to receive the files for testing from August 10.

What can you do right now?

While you'll have to sit and nervously wait for your manufacturer and operator to collaborate on a fix, you can determine whether your Android device is vulnerable or whether it's susceptible right now.

Just download the free Stagefright Detector App by Zimperium (the security company Joshua Drake works for) from the Google Play Store.

Stagefright

Once you've run the test (it takes seconds), you'll probably discover that your phone is vulnerable, with a message like the one above. Note: this doesn't mean that you phone has been infected, so don't panic!

If your phone is vulnerable, and you use Hangouts as your main messaging app, go into Settings>SMS and disable the 'Auto Retrieve MMS' option.

If you use a different messaging app for such things, double check that no such similar option exists or has been selected. Samsung's default Messages app also automatically retrieves MMS messages by default, for example.

Regardless of your chosen messaging app, don't open any picture messages from unknown sources. Delete them straight away, without entering them.

Oh, and if you have an ancient Android phone - say, three years old or older - it might be time to consider upgrading. It's highly unlikely that your phone will receive a Stagefright fix.

Have you had any bad experiences with the Stagefright bug? Has Google done enough? Let us know in the comments section below.

fried_egg

August 11, 2015, 1:08 pm

Sounds like the Sony Xperia 3+ is seeing a fix rolling out in Asia today.

Alice H

August 11, 2015, 1:14 pm

I received an MMS purporting to come from O2 a week or so ago. I hadn't changed the settings on my phone at that stage. How can I tell if my device has been attacked?

Techno-phobe

August 11, 2015, 6:13 pm

So....Once again the only option for those of us who aren't "super users of technology" is to upgrade our phones. My Samsung Note 2 does everything I need for my job and personal tech needs and I would love to stop contributing to the electronic waste our culture is so obsessed with, but because it's not profitable for the manufacturer they aren't going to provide a patch for a $700 phone that is only a few years old. Hmmm...smells like the tech sector needs some profits so let's release a new malware we aren't going to protect our customers from. That should help boost the stock another buck a share!

Johnny Walker

August 11, 2015, 11:57 pm

you're reading a tech website. we're presuming you're not a luddite. learn to fiddle with your device's OS or get out Techno-Phobe. I'm completely fine with doing the diy workaround.

Techno-phobe

August 12, 2015, 11:30 am

The tech website article was picked up by national news outlets. If USA Today is considered a tech website I could understand the tone of your reply. Just upset that many people like myself are being told go get a new phone rather than being given the details on how to fix.
Tech isn't my specialty but if you can offer some options on where to go to learn the basics and keep my phone safe and running I'm all ears.

BMc

August 12, 2015, 12:41 pm

Perhaps consider buying a device from a company that regularly provides updates for its devices, without any need to work with the wireless carriers, and supports its devices from multiple years in the past. I am sure you know which company I am referring to.

Cory

August 15, 2015, 9:30 pm

Lookout Mobile Security has an appointment to check to see if you have been infected.

comments powered by Disqus