How To: Protect your Android device from the MMS-hack (Stagefright exploit)

Cybersecurity firm, Zimperium, recently discovered a major flaw present on approximately 95% of Android devices, and it affects OS versions from 2.2 to 5.1. What’s really scary, is that all this hack needs in order to work is your phone number.

Through an exploit of Stagefright, a media library that processes media files, a hacker can theoretically gain access to your phone by simply sending you an MMS message. There’s no interaction needed from the user, for the malicious code to execute, plus you can’t even tell you’ve been hacked, if it happens.

Joshua Drake, Zimperium’s security researcher who found the bug, says that it’s unlikely anyone is using this vulnerability, but really….there’s no way to know for sure. Google has already released patches to fix the flaw, and some companies like HTC have already applied them, but the world of Android is vast, and most devices will get these security updates with delays (we’re talking months here), as they have to go through multiple channels, including manufacturers and carriers.

Since the news about the bug is already out, it’s going to be a race to the finish line for hackers, which obviously have a limited amount of time to figure out how to use the exploit until the patches reach most devices.

With that said, there is something you can do, to make sure your phone doesn’t get hacked through a simple text message (besides making sure the device is up to date and saying a prayer).

The exploit takes advantage of the fact that any received MMS is downloaded by your phone automatically, so in order to prevent it you must simply disable this function. Sure, you’ll then have to tap a MMS message to download it, but it’s definitely more important to keep your privacy and personal data safe, right?

How to disable MMS Auto-Retrieve option

Any messaging app that supports MMS has this option in its Settings, but the OS itself has it as well. As a result, you can turn off the MMS Auto-Retrieve option from your phone’s or your default messenger Settings menu.

Samsung’s Messages App

If you have a Samsung device, and you are using the stock Messages app, you can disable the MMS Auto-Retrieve option from the apps or your phone’s Settings.

Messenger app - Settings - Multimedia messages

From the app’s 3-dots menu go to Settings and tap on Multimedia messages, then disable the ‘Auto retrieve’ option (and Roaming auto retrieve as well).

For Samsung Galaxy S6 the Auto Retrieve option for MMS messages is located in the Messages app under More ->Settings ->More settings ->Multimedia messages.

Settings - Applications - Messages

The same option can be accessed in the phone’s Settings, by going to the Applications section, and taping on Messages -> Multimedia messages.

Google Messenger app

This one is the default on many Android devices running Android 5.0 and higher. Luckily, the Auto Retrieve option has the same name in practically any app that comes with MMS support and so is the case here. To access it in Google Messenger, open up the 3-dots menu, select Settings ->Advanced and then you can turn off Auto Retrieve.

Auto-retrieve MMS option in Google Messenger

Note: Google Messenger also has an option to auto-retrieve MMS messages while roaming. Make sure that one is disabled as well for obvious reasons, even if you don’t plan to travel abroad very soon.

Hangouts app

Hangouts is another popular messaging app, which is set as default on Nexus 5 devices. If this is the default SMS app on your phone as well, you should know you can’t disable the Auto-Retrieve option from the phone’s Settings in this case. It can only be done from the Hangouts app.

Hangouts - Settings - SMS

Open up Hangouts, tap the hamburger icon to open the side-navigation menu, then tap on Settings ->SMS. Scroll down and in the Advanced section you’ll find the ‘Auto retrieve MMS’ option that you need to turn off (also has the ‘Roaming auto-retrieve’ option just like Google Messenger – disable that one as well, if it wasn’t already).

Hopefully, you’ll gain some peace of mind after you turn off Auto-Retrieve MMS for your default messaging app. Nevertheless, be aware only Google’s patch offers a complete fix for the Stagefright exploit. Until your device gets that specific security update, it can still get hacked if you choose to manually download a malicious MMS. Conclusion: carefully analyze the MMS messages you’re about to download (avoid unknown contacts and other untrusted sources) and make sure no one else can do that while you’re not paying attention.

Since not everyone is so up to date with the latest security findings, I strongly recommend you tell about this exploit to all your friends, family and colleagues that own Android phones and let them know how they can protect their privacy.

Further reading:

  • How To: Find out if your Android device is vulnerable to the Stagefright exploit
  • The lowdown on Android’s Stagefright bug: Insights, current status and viable solutions

Visit our Android guides section for more handy tips, tricks and how tos and don’t forget to follow us on Facebook, Twitter, Pinterest and Google+ to receive our latest news and apps & games reviews for Android, iOS and Windows Phone !