How to stop Stagefright on Android Lollipop
Stagefright is a potentially serious vulnerability that affects 95% of Android devices. It arises when certain applications download a malicious media file automatically before you even open it. From there, the hacker can – theoretically, at least – delete all traces of the message, leaving you blissfully unaware anything has happened.
So far, no phones have been patched against Stagefright, even though the code to prevent it has been available since April. The responsibility for deploying these patches lies with the hardware manufacturers, and there’s a good chance a fix will never reach older handsets.
That said, there are things you can do right now to limit the potential for the worst kind of damage – malware being installed on your phone with you knowing about it.
Using an HTC One M8 running the latest version of Android, Lollipop, I will show you how to prevent the OS from walking straight into that trap. Your steps may subtly differ, and I can only guarantee these will work on Lollipop, which is used by slightly more than 12% of users.
The entrypoint for Stagefright is any app that receives MMS messages. This generally means two applications: Hangouts and your phone’s standard messaging app.
Let’s deal with Hangouts first:
1. Load the Hangouts app.
2. Pull out the options menu with a swipe to the right.
3. Stagefright is an MMS vulnerability, so open up the SMS option.
4. One solution is to just disable SMS in Hangouts, which as you can see is something I did a long time ago. It’s right there at the top of the options.
5. If you’d prefer not to take this radical step, just scroll on down to advanced and untick ‘Auto retrieve MMS’. That way if anyone sends you the malware, the phone won’t automatically download it. Just make sure you don’t download it yourself.
Dealing with messages is just as simple – or, at least, it is on the HTC One M8:
1. Go to your phone’s messaging app and head to MMS settings.
2. Untick the Auto-retrieve box in the MMS settings section.
Finally, a reminder: until handset manufacturers roll out a proper Stagefright fix, your Android phone remains vulnerable. All this does is prevent your phone downloading (and installing) the malware automatically.
Be vigilant: treat any file you’re sent in the same way you would a suspicious email: if you don’t know the sender, don’t open it. If you do know the sender, but they don’t often send you files, don’t open it until you’ve checked they actually sent it. Even then, treat anything you receive with caution.
Image: Scott Akerman used under Creative Commons