How to Protect Your Android Phone From the Stagefright Bug

1153076

Earlier this morning, a vulnerability was disclosed for Android phones performing a remote code execution over MMS. Dubbed “Stagefright“, the vulnerability exploits SMS/MMS clients by sending a malformed media file to the user which is automatically downloaded by the default client.

If you’re using Google Hangouts as your default SMS client, here’s how to protect your device from Stagefright by disabling automatic downloading of media files sent via MMS:

Disable auto-retrieve MMS for Android Hangouts to prevent Stagefright hack

Here’s how to protect your phone from the Stagefright bug if you’re using Google Messenger (the default SMS client for Android 5.0+):

Disable auto-retrieve MMS in Android Messenger to fix Stagefright hack

The above screenshots were taken on a Nexus 5, but the steps are the same on any Android device using Hangouts or Messenger. To disable Auto Retrieve MMS in the default SMS client on the Samsung Galaxy S6, go to:

  • Messages app
  • More
  • Settings
  • More settings
  • Multimedia messages
  • Auto retrieve

The final Multimedia messages setting should look like this:

Disable auto-retrieve MMS on your Samsung Galaxy to prevent hacking by the Stagefright bug

More on the Stagefright Hack

From NPR’s Major Flaw In Android Phones Would Let Hackers In With Just A Text:

Here’s how the attack would work: The bad guy creates a short video, hides the malware inside it and texts it to your number. As soon as it’s received by the phone, Drake says, “it does its initial processing, which triggers the vulnerability…”

Once the attackers get in, Drake says, they’d be able do anything — copy data, delete it, take over your microphone and camera to monitor your every word and move. “It’s really up to their imagination what they do once they get in,” he says.

Disabling Auto Retrieve MMS will partially mitigate this vulnerability ahead of the official patch release. All MMS media files will require a click in order to be viewed, but disabling this feature will prevent an attack from automatically executing on your phone. Turning off this feature does not fix the exploit entirely. So long as the bug exists, your Android device remains vulnerable and can be hacked if a malformed media file is downloaded by clicking on it. This vulnerability will not be completely fixed until a patch is released for your device, but this intermediate step can help mitigate the threat in the meantime.

To learn more about the exploit, check out:

This guide is for the versions of Google Hangouts and Google Messenger that ship with the latest version of Android Lollipop (5.1.1). If the steps are different for your version or Android, or if your phone ships with a different default SMS client, please reach out to me at gb@twilio.com and we’ll update this post.

Thank you to Ricky, Rob, Christopher, Kyle, Sam and Jarod for their contributions to this post, to jimrandomh on HN for pointing us down this mitigation path, and to Greg Bulmash for providing the Galaxy instructions.

 

  • Newton Alibi

    Thanx for the heads-up Greg Baugues

  • http://www.patrickchristensen.com StPatrick

    If you wanna’ be completely sure – Go Settings -> More (under Wireless & networks) -> Mobile Networks -> Access Point Names -> [Your operator] -> Delete any MMS-fields (MMSC, MMS proxy)
    You won’t be able to get any MMS messages anymore on any app. I wrote the field values down before I deleted them, just to be sure. However, it might be overkill.

    • Dan

      This seems like a great idea. I’ve now followed the instructions in the article, removed mms seems, and I also recommend this app https://play.google.com/store/apps/details?id=org.nastysage.blacklist

      It has a setting to specifically block mms. I think all these should be good enough to protect any android owner.

    • WOteB2

      You also can simply disable MMS in in the APN-type setting. Only disable MMS, and you don’t need to remove the other settings.

  • Karl John

    You can also turn auto-retrieve to off in the default Samsung messenger’s Settings Menu> MMS

  • decahill

    I understand the caution but the people who have identified the vulnerability have NEVER SEEN an attack in the wild. An attack has never happened to their knowledge. Just because it’s possible doesn’t mean it has ever actually happened. glad there is a fix and am looking forward to the update.

    • Geoff Hinkle

      And yet they are planning to release this at the Black Hat Hacker convention on Aug 1, so they start seeing them on Aug 2.

    • Keith D.

      Once people know there’s a critical bug like this, and where it is, malicious actors can focus their efforts there to figure out how the exploit works on their own, so even though the information hasn’t been released publicly thus far, just telling the world about it still massively increases the odds of an in-the-wild exploit.

      That doesn’t make it a sure thing by any means, because the number of people who’re capable of tracking something like this down on their own is still microscopic compared to the number of people who’d try to exploit it if there were a pre-built package to do so, and of those who do have the knowledge and skill to be able to figure it out on their own, most of them are not malicious actors, but it does still dramatically increase the odds of this showing up in the wild, even before the conference where more information is released to the public.

      • fattire

        And if they do it badly… do a wikipedia search for “Morris Worm” (1988).

  • fattire

    ” Turning off this feature does not fix the exploit entirely. ”

    This is a critical point that probably should be up higher. Do not be lulled into thinking that blocking MMS is sufficient. This isn’t about MMS specifically, but about the part of Android that’s used to plays media. There are many ways that your phone/tablet/whatever can be triggered. Also, be aware that once this gets out in the wild, there’s a decent chance infected devices will start automatically spamming people in their contacts with mails, texts, and whatever else can infect your devices. So until your system is completely patched via an over-the-air or manual update, be wary not only of MMS but emails and phone calls and such that appear to come from phone numbers/contacts you know. It may be their phone, not them.

  • Name

    4.4 doesn’t have that option in Messenger’s settings.

  • Artur

    Please be aware that this bug can be exploited with any media content, extremely within commercial banner at visited webpage. MMS are only one of many attack vectors…

  • dee

    Too bad for the hacker. 1. I’m not using google messenger. 2. I don’t even subscribe in MMS. Nothing to worry about it. :)

    • rad

      1. You’re dumb
      2. MMS isn’t the only way to deliver the payload, videos are how it’s executed

      • Joshua Selvidge

        It’s not just videos
        It’s malicious code hidden in any kind of multimedia content.
        This can include Steganographic attacks
        XARA Attacks
        Forged injection attacks

        Before you call someone else dumb, make sure you know what you’re talking about

  • Fly_Dog

    To disable auto-retrieve on phones using Verizon’s Message+ : from the main Conversations page select the 3 line menu from the upper left, then Settings, scroll down to Advanced, scroll down to Multimedia message (MMS) settings and deselect Auto-retrieve.

    Android 5+: To identify the default message app (my 2014 MotoX shipped with 3 of them):
    Go to Settings -> More (under Wireless & networks) to note the default SMS app.

  • utack

    Or just use the sane solution: A up to date custom rom, whose creators actually give a sh*t about you.

  • Mashuri Clark

    This is where having a rooted phone is an advantage. Use a build.prop editor (I use ROM Toolbox Pro) and search for anything with “stagefright”. Set all flags to “False”. Reboot.

    • Axel Lim

      Seriously? Awesome, doing now :)

    • http://www.mediashow.ro/ MediaShow!ro

      Right, so they will just have to change the name :)

  • Hardeep Singh

    Android app security seems like an endless Tom and Jerry Fight. Along with the alarming growth of the user base, android is the most vulnerable mobile OS of today. Android, being an open platform for publishing of app have made it highly accessible to developers, and also to hackers.

    Stagefright is called the “mother of all Android vulnerabilities,” as this bug puts some 950 million Android phones at risk of hacking. No one has exploited the vulnerability and actually hacked someone’s phone — at least, not yet. The security firm that found the bug, Zimperium, shared the information with Google back in April, along with a suggested patch. This means that
    chances of you getting hacked are pretty slim. But if you are an Android user, the chances that your phone is vulnerable are about 95 percent.

    The need of the hour for developers and enterprises is to be aware & proactive towards mobile security. Its a priority for us at Appknox (www.appknox.com). We help businesses and developers in securing their apps and alerting them to new
    vulnerabilities as they arise.

  • Rareability

    sooooo…We’ve disable auto-retrieve on EVERY messaging app on the phone (lollipop) and we still get auto load of pics in Hangouts (messages/mms etc). Can someone tell me why Hangouts still allows? I disable auto-retrieve there…thanks

  • stepkelin

    Thanx for the giving information and updates. http://www.androidiosguide.com/

  • Cbduhy

    I know good way to protect android devices ,the most useful method to do good backup data to Google account .

  • KawaiiPanda

    omg discus? i normally use discus on kissanime.
    anyway how to protect samsung tab3?

  • Joe Grubb

    Hey Greg, is it possible that we could recommend to Android or Google to allow an option to auto download mms messages only from contacts we select? Maybe suggest that there be a check box in every contact that administers the right for the phone to auto download a mms from those specific contacts. What do you think? How would we go about suggesting that? Also, has a patch already come out, and should I still have the auto retrieve function disabled right now?

  • Joseph Collins

    Thanx to share your knowledge and experience !!

    Joseph Collins from whatsapp monitoring tool

  • HyacinthChoice26

    Informative suggestions – I Appreciate the points – Does anyone know if my assistant could possibly acquire a template IRS 706 version to edit ?