A critical Android vulnerability called Stagefright v2.0 (will simply refer to it as Stagefright going forward) has been discovered. Stagefright allows the remote control of your device after infecting it using a multimedia (MMS) file; think WhatsApp or Google Hangouts, how many video clips do you get as jokes? Because WhatsApp and other messaging applications automatically download the video to your device, it will be infected without you having doing anything.
The vulnerability was found in Stagefright an Android media library, hence its naming. It affects approximately 95% of all Android devices in the world. For the technically minded here is a picture of the Android multimedia framework and the Stagefright Engine.
95% of all Android devices means devices running Froyo 2.2 to Kit Kat 5.1.1. A patch has been released by Google to prevent device infection. To check if your device is vulnerable, download the Stagefright Vulnerability Checker (opens the Google Play Store).
If your device is vulnerable to Stagefright disable automatic downloading of media files by your preferred messaging applications. To disable MMS message auto-retrieval, follow the appropriate steps for your messaging app.
- Messaging (built into Android): Open Messaging, tap the menu button, and tap Settings. Scroll down to the “Multimedia (MMS) messages” section and uncheck “Auto-retrieve.”
- Messenger (by Google): Open Messenger, tap the menu, tap Settings, tap Advanced, and disable “Auto retrieve.”
- Hangouts (by Google): Open Hangouts, tap the menu, and navigate to Settings > SMS. Uncheck “Auto retrieve SMS” under Advanced. (If you don’t see SMS options here, your phone isn’t using Hangouts for SMS. Disable the setting in the SMS app you use instead.)
- Messages (by Samsung): Open Messages and navigate to More > Settings > More settings. Tap Multimedia messages and disable the “Auto retrieve” option. This setting may be in a different spot on different Samsung devices, which use different versions of the Messages app.
We strongly recommend you find a way to update your Android device as soon as possible. Network operators should allow zero rated operating system updates to ensure the safety of their consumers and not monetise the safety of their clients – share this message with your network provider.