large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Android Stagefright Bug: What is it and how can you protect your phone?

What is Android Stagefright? We explain how the messaging bug works and what you can do to make sure your Android phone doesn’t get infected

Mobile security is a hot topic right now, as the rapid rise in smartphone adoption is matched by instances of malicious software.

Of particular concern at the moment is the emergence of the Stagefright bug, which leaves some 950 million Android phones vulnerable to remote exploitation.

Towards the end of July, a researcher named Joshua Drake from security firm Zimperium uncovered the so-called Stagefright exploit. This preys on a number of software vulnerabilities found in a specific portion of the Android OS, and it doesn’t require special skills to implement.

Here’s everything you need to know about the Stagefright bug, including some tips on how to counteract it.

What is is Stagefright?

Stagefright is an exploit that capitalises on vulnerabilities within the software that Google’s Android OS uses to process, play and record multimedia files.

The vulnerability can be initiated through the sending of a simple picture message, and it can also make its way onto a device simply by landing on a webpage containing affected embedded video content.

Once an Android device has been infected by Stagefright, a hacker can remotely access the device’s microphone, camera, and external storage. In come cases, they can even gain root access to the device.

Related: Best smartphones 2015

Google Play

Which phones are affected?

The bad news here is that virtually all Android devices are susceptible to the Stagefright exploit. It affects phones running on Android 2.2 and above, which means pretty much every Android phone still in operation today.

In fact, at the time of its discovery a couple of weeks ago, it was estimated that roughly 95 percent of Android phones in use today are at risk.

Drake believes this could equate to 950 million vulnerable Android devices around the world.

What’s being done about it?

Fortunately, Google has known about Stagefright for some time. Drake let the company know about it back in April, as well as providing the search giant with a patch of his own making.

Google, for its part, instantly applied the fix to its Android code base. The trouble is, as every Android fan knows, it takes an absolute age for updates to make their way to the entire Android ecosystem – hence that 95 percent vulnerability figure listed above.

This is down to the fact that, despite creating Android, Google isn’t responsible for the rollout of core updates to the vast majority of the Android smartphones on the market. That’s down to the manufacturers and the network operators they work with.

Google has been able to provide a fix to all Nexus devices from the Nexus 4 onwards, and will continue to send out monthly security updates from now on.

LG and Samsung have followed in line, pledging to work with network operators to implement updates that will eradicate the Stagefright exploit.

Motorola, too, has revealed that it will be updating its entire modern range (so effectively from the first generation Moto X era onwards), with carriers set to receive the files for testing from August 10.

What can you do right now?

While you’ll have to sit and nervously wait for your manufacturer and operator to collaborate on a fix, you can determine whether your Android device is vulnerable or whether it’s susceptible right now.

Just download the free Stagefright Detector App by Zimperium (the security company Joshua Drake works for) from the Google Play Store.


Once you’ve run the test (it takes seconds), you’ll probably discover that your phone is vulnerable, with a message like the one above. Note: this doesn’t mean that you phone has been infected, so don’t panic!

If your phone is vulnerable, and you use Hangouts as your main messaging app, go into Settings>SMS and disable the ‘Auto Retrieve MMS’ option.

If you use a different messaging app for such things, double check that no such similar option exists or has been selected. Samsung’s default Messages app also automatically retrieves MMS messages by default, for example.

Regardless of your chosen messaging app, don’t open any picture messages from unknown sources. Delete them straight away, without entering them.

Oh, and if you have an ancient Android phone – say, three years old or older – it might be time to consider upgrading. It’s highly unlikely that your phone will receive a Stagefright fix.

Have you had any bad experiences with the Stagefright bug? Has Google done enough? Let us know in the comments section below.

Why trust our journalism?

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.