stagefright android bugUpdated: August 10, 2015

Anyone using a smartphone with Android version 2.2 or later should be aware of a major security flaw that was discovered which could enable a hacker to take control of your phone just by sending you a text message. According to Fortune, they’re calling it “Heartbleed for mobile,” which should be enough to indicate the severity of this bug. Essentially, the bug — which is nicknamed Stagefright after the name of the media library where the bug was found within Android code — allows a hacker to send a malware-laced multimedia message (MMS) to your phone and gain immediate access.

The Stagefright media library works to help phones interpret MMS content (such as videos, photos, audio, etc.), and most phones are set to automatically download this content when a message is received. This means you don’t need to do anything on your end for this hack to work, which is what makes it so dangerous. All the criminal has to do is have your phone number and they can get into your phone and steal data and photos, hijack your microphone and camera and more. The worst part? This mobile security flaw has been around for five years, as reported by Fortune.

Which Android devices are vulnerable?

All Android-based phones running version 2.2 or later are potentially vulnerable, however, the most vulnerable are those running a version of the software that predates Jelly Bean (4.1). This accounts for 11% of phones currently on the market, but overall approximately 95% of Android devices — roughly 950 million — could be at risk. The reason those after Jelly Bean are more protected is that Google started adding extra security that helps prevent against the types of exploit that could be used for this type of attack. That said, all Android smartphone users should be on alert.

How can I protect myself from the Stagefright bug?

Due to the nature of this bug, a hacker could send a message to your phone and infect it, steal your contacts list, delete the evidence and continue on doing the same thing to all your contacts’ phones without anyone being the wiser. Google has already put out patches that fix this flaw, but it’s up to manufacturers and wireless providers to roll out patches to device owners before this will be fixed completely. That said, there are some things you should do now:

1. Contact your manufacturer. Either visit the website or call customer service and find out when the patch will be available — or if it already is — and how it will be delivered to your device. Unfortunately, manufacturers can be slow in rolling out patches for security flaws, but hopefully the severity of Stagefright will spur most to act more quickly than they normally might.

2. Change your messenger settings. Whichever messenger you use, whether it’s your manufacturer’s proprietary messenger program, Google Hangouts or any other messenger app connected to your phone number, you can disable the setting that allows your phone to automatically download MMS messages. It’s a bit different for each type of messenger, but in general you should access the settings within the messenger program and there will be a box you can uncheck labeled “automatically retrieve MMS messages.”

Stagefright Android bug

View of the MMS settings screen for the LG Android Messenger app

3. Update your phone’s software ASAP. When a patch or update is available for your phone’s software, install it immediately. Sometimes it’s tempting to put these updates off, especially because they can take some time and interrupt the flow of your day while your phone is temporarily unavailable. But given the potential harm the Stagefright bug could do, it’s better to be temporarily inconvenienced than risk your mobile security.

To learn more about protecting your mobile devices as well as your computers from viruses and hackers, visit our Internet security software reviews.