Stagefright: How to Secure Your Android Phone in 2 Simple Steps

KoolSpan’s TrustText messaging app is not vulnerable to the Stagefright Android Bug. By communicating with your contacts using TrustText, and disabling automatic MMS downloads in the default Android messaging app, Android users can mitigate the risk.

In what’s been dubbed ‘the worst Android flaw ever,’ a new vulnerability has been discovered in Android phones. Stagefright, a media playback engine in Android, contains ‘remote code execution bugs,’ which enable malicious hackers to infiltrate devices by sending a specially crafted multimedia message (MMS) to any phone number. The message contains code allowing the hackers to steal data from all parts of the phone that can be reached with Stagefright’s permissions, including audio, video, and photos stored in SD cards. On older phones, such as the Samsung S4 and LG Optimus Elite, Stagefright runs with system-level privileges, providing wide access to the phone.

The immense danger of the Stagefright vulnerability is that it is triggered by the display of the message in the Android Message app user interface. The recipient of the message does not actually have to play the multimedia file – as long as it is sent and downloaded, it can plant code on the phone! The Messages app (and other consumers of multimedia data) pre-stage the playback of messages in order to give the user some information about the file before actually playing it – like the type of media it contains, the length of the media, etc. This is where Stagefright is invoked with no input from the user.

To work around this and mitigate the vulnerability, it is important to note that MMS is actually a specially formatted Short Message Service (SMS) message, sometimes called a
text message. Basically, an MMS is an SMS message that includes a hyperlink telling the Messages app where to download the multimedia payload. A two-step process to quickly avoid the Stagefright attack includes first disabling automatic download of MMS message payloads, and then using an alternate, secure, messaging app.

In order to disable automatic download of MMS message payloads, do the following:

  1. Start the Messages app, and navigate to the Settings menu.
  2. From the Settings menu, select Multimedia messages.
  3. From the Multimedia messages menu, clear the Auto retrieve check box.

Disabling automatic download of MMS messages provides the recipient of the message the opportunity to decide whether to download, and ultimately view the message. The recipient can consider the message source and decide whether it seems safe, before manually downloading the message for display in Messages.

Second, use an alternate messaging app rather than the default Android MMS. Consider KoolSpan’s TrustText; not only is TrustText not vulnerable to Stagefright, but it encrypts all messages end-to-end, protecting messages from interception. With TrustText you can send sensitive information via text without concern of others intercepting your messages, or in the case of the Stagefright vulnerability, without a sender exploiting your phone and data.