Android - Stagefright security issue: what can a regular user do to mitigate the issue without a patch?

This is not just about MMS or web surfing, since Stagefright is the library that helps phones to unpack multimedia messages: see Media and this article on Fortune.

So it is about any application (including your web browser) that works with multimedia (video clips and audio records). MMS is just an easiest way to exploit it, because your phone will not ask you before downloading it.

That is why you also need to think about all other applications working with multimedia and never open any multimedia attachments before the fix is not installed on your phone.

For the Web browser, you could switch to Firefox 38 or higher, then you could continue opening web pages with video and/or audio content.

To summarise:

  • Disable auto-retrival of MMS in your Messaging App (whatever it is) (Guide with images)
  • Switch to Firefox 38 or later (find it in your market / app store)
  • Switch to a filesystem manager hiding video thumbnails, which is the default for Total commander
  • Switch to a video player that is immune, e.g., the video player MX player (make sure to activate its "HW+" setting for all video formats) pointed out by hulkingtickets
  • Do not open any multimedia files or draw video thumbnails in any other applications and block automatic opening/downloading of them in all apps if possible. This is very important. If your phone is not patched and you use ANY app with multimedia content, and there is no option to block automatic opening of multimedia in this app (example for browser: if you open some random web page, you browser should preload videos, if they are on this web page), then stop using this app and block Internet access for this app (if you can't - delete the app). If this app is important to you, and you can't update phone firmware or block multimedia in this app, just stop using your phone and buy another one, which is not vulnerable.

    Yes, this means that in the worst case you need to change the phone. Stagefright is a very serious vulnerability affecting ~ 1 billion devices, so you could easily become a victim of automated attack, that is not done directly against you, but directed to all 1 billion users.

  • Install updates, if you have Cyanogenmod 11 or 12 (fixed on 23.07.2015, see commits on github)

    EDIT: fixes from 23.07.2015 were incomplete, you may need to update again after fix on 13.08.2015

    EDIT 4: Fixes on 13.08.2015 were again incomplete, you need to update one more time after fixes from Google in October 2015 (so-called Stagefright 2.0). If you have Adroid 5.x or 6, you may need to update again after these next fixes from Google in November 2015, since there are similarly dangerous vulnerabilities (CVE-2015-6608 and CVE-2015-6609), that are probably not called Stagefright anymore. Please note, that the time of actual fix from your manufacturer could be later, or at least different. E.g., CM11 got updated on 09.11.2015, while CM12.1 got updated on 29.09.2015.

    EDIT 5: 2 more Stagefright vulnerabilities are reported by Google at 01.02.2016, however, they "only" affect Adroid 4.4.4 - 6.0.1

  • Wait for update from your manufacturer

    EDIT2: Similar with Cyanogenmod, an update from your manufacturer could be not enough, due to the issue with initial integer overflow fix, that was reported on 12.08.2015: Original integer overflow fix ineffective. So even after update, it is recommended to check if your phone is still vulnerable using the App from Zimperium (finder of the Stagefright issue): Zimperium Stagefright Detector App

  • If you already has root, try fix offered by GoOrDie. Also see this howto guide.

    EDIT 3. I tried this fix on Samsung S4 mini, and it did not work. So think twice before rooting your phone.


To mitigate this attack, I've disabled MMSes, since I don't use them anyway. You can do that in the Settings menu. Select Cellular Networks > Access Points Names, select your access point, and remove "mms" from APN Type. I've also cleared out MMSC.

(Click image to enlarge; hover the image to know the instruction)

Order of Instructions: Follow images from left to right in each row

Note that Android converts group SMSes to MMSes, so you might want to disable that too. To do that, go to the Messaging app, open the Settings menu, and disable Group Messaging and Auto-Retrieve.


The newest version of Hangouts mitigates this issue, it looks like it does some extra checks before passing the media on to the system service. It doesn't fix the underlying issue in the system, though.

You can also disable MMS auto-retrieve in Hangouts via its SettingsSMS → uncheck Auto retrieve MMS or in Messenger via its SettingsAdvanced → disable Auto-retrieve under MMS. This site has detailed steps if you need them.

Tags:

Security