I have an Android phone and just heard about the major security problem, so what do I do?
This question was answered on July 29, 2015. Much of the information contained herein may have changed since posting.
A number of newly discovered vulnerabilities in a central Android software component called Stagefright, which is used to play, process or record multimedia files, is estimated to affect up to 95% of Android users.
According to the security researcher who discovered it, any Android device running version 2.2 through 5.1.1_r4 can potentially be exploited with a text message that contains a malicious multimedia file, better known as MMS messages.
Standard text messages that only contain text use the SMS (Short Message Service) and are not part of the problem.
Only rigged MMS (Mutlimedia Messaging Service) messages are able to take advantage of this vulnerability.
If you open a malicious MMS message, you could provide complete access to your phone to a remote hacker.
This could allow them to access anything they want on your phone or even wipe everything out, so be very careful with MMS messages, especially if you aren’t sure who sent it.
Google has been made aware of the problem and they have created a patch, but it’s probably going to be a while before your phone will get the fix.
The problem is that Google can’t directly send you the fix; they have to send it to all the different phone manufacturers (Samsung, LG, HTC, Sony, etc.) who then have to work with the various carriers (Verizon, AT&T, Sprint, T-Mobile, etc.) to finally deliver the fix to your phone.
This process could take days, weeks or months, depending upon what type of handset you own and which carrier you use. (If you’re running really old versions that are no longer supported, there may never be a fix!)
With this in mind, waiting for the phone manufacturers and carriers to deliver the fix will leave you vulnerable, so here are a few things that you should do to protect yourself in the meantime:
#1: Turn off the auto-download or auto-retrieval feature on your messaging app
The option is generally located in the Settings menu of whatever messaging apps you use, which can be accessed from within each app. If you use more than one app, make sure you make the change.
#2: If you can’t find a setting to turn off MMS auto-download, stop using the app
The exploit occurs when your phone tries to process a rigged MMS message, so keeping them from ever getting on your phone is best way to protect yourself until a fix is installed.
If you can’t figure out how to stop the auto-downloads, switch to a different messaging app, such as Google Messenger (https://goo.gl/3gCHWV).
#3 Manually download MMS messages only from people you know
Since any random hacker can target you simply by knowing your phone number, it’s extremely important that you pay attention as to who is sending you MMS messages. If you don’t recognize the number, don’t let curiosity expose you!
#4 Stop using the Google Hangouts app on Android phones
The Google Hangouts app will automatically process media when it’s sent, which means you could potentially be exploited even if you don’t view the file. Most people don’t use this app, but if you do, wait for Google to patch the app.
About the author
Posted by Ken Colburn of Data Doctors on July 29, 2015