Android Hack Alert!

Android-logoAndroid Hack Alert: Here’s what you should know. On Monday, a security researcher spilled the beans about a really bad security vulnerability in virtually all Android-powered smartphones. The vulnerability is called Stagefright, and a hacker can simply send you a multimedia text message that would open your smartphone to being remotely controlled by the hacker. The hacker could even delete the message, so your only warning would be a notification that you got an MMS message. You don’t need to do anything at all (like read the message, click a link or open a file), all it takes is for the message to be delivered to your smartphone and you’re toast. This is –not to overstate it- bad.

What makes this worse is that the researcher initially told Google (the maker of the Android operating system) about it back in April. To its credit, almost immediately Google issued patches to the smartphone manufacturers and carriers. But to date, not a single manufacturer (Samsung, HTC, Sony, Lenovo, Motorola, LG, etc.) or carrier (Verizon, AT&T, Sprint, T-Mobile, etc.) has provided a patch for over-the-air update to any smartphone owner. If your device is more than 18 months old, it’s likely you’ll never see a patch. And it’s not very likely even newer smartphone models will get the patch anytime soon (if ever).

So what do you do? You only have three choices:

  1. android-settings-auto-download-mms-screenshotTrade in your Android smartphone for an iPhone. Probably not a great answer for most people.
  2. Turn off ‘auto-retrieve MMS” in Messaging settings, which simply stops the notifications. Now follow-up that by not clicking the download button on any MMS message you receive – even from someone you know (they might have been hacked). This is a quick and dirty fix, so it’s temporary at best. And some other apps (like Hangouts) might also have this vulnerability, so be very careful about downloading images, audio, video, even GIFs.
  3. Not that I’d recommend this, but you could find a tech-savvy friend who will ‘root’ your phone and install a different version of the Android operating system: CyanogenMod. This completely replaces the version that your phone manufacturer or carrier installed, so you’ll lose any specific features, skins and apps that it originally came with. This is not for the faint of heart and does take some technical skills, and it’s really not for the consumer, but for an Android user who’s technically inclined. But CyanogenMod is updated much faster than the version that came with your smartphone.

The good news is that some alternative messaging apps like WhatsApp, Snapchat and Instagram don’t use Stagefright, so if you use them for messaging, you’re ok. And if you have a Google Nexus 6, you’ll be ok as long as you’ve recently updated your smartphone. Other Nexus models may still be vulnerable. Hoo boy, this vulnerability affects nearly a billion smartphones on the planet, so it’s not something you should just ignore. For pretty much any consumer who owns an Android smartphone and reads this, pick option #2 above and make the change right now. I’ll wait.

Ok, now that you’ve done that, you need to be very careful about everything you do online and with your consumer technology. This is just one example of how you should protect your digital life and identity. I have lots more tips on what you should do and not do in my Safe Computing Practices article.

Lastly, you should contact your smartphone manufacturer and your carrier and ask them when the patch will be available. If enough Android users do this, they might get these companies off the dime and into action.


This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via:

Click or tap to open a new browser tab or your Venmo app and send money via Venmo to @positek

Click or tap to open a new browser tab or your Paypal app to send money via your Paypal account to

Click or tap to open a new browser tab or your Paypal app to send money using your credit card to (no Paypal account required)
(using any credit card)

or by mailing a check/cash to LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thanks!

Leave a Comment

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

This site uses Akismet to reduce spam. Learn how your comment data is processed.