Android’s Hangouts/MMS Stagefright Hack: How To Protect Your Data From Hackers

Android smartphone users no doubt have heard news that their smartphones are vulnerable to a new “hack” that can affect nearly ALL Android devices. The hack affects Android devices running the operating system from version 2.2 (froyo) to 5.1 (lollipop).

What is the hack? What can the hackers do?

The hack attacks weaknesses in the media library (known as “Stagefright”) and exploits them. Hackers only need to send an MMS (multimedia short message) containing the malicious code, and once your phone processes the MMS, it will allow hackers to gain access to your device without your knowledge!

The hack is the most effective if you are using Google Hangouts for SMS/MMS as Google Hangouts will automatically process the code sent through MMS, but the other apps are not immune too!

Running the code allows the hackers to gain access to almost any information in your smartphone including stealing your files, operating your microphone, reading your private emails and copy your personal details such as passwords, credit card numbers, contacts so on and so forth. This can all be done simply by sending an MMS to your phone number! The hacker cannot be detected and you will never know that you have been hacked. Does that thought scare you?

How can I better protect myself from the hack? Can I fix it?

There are several ways to protect yourself against this hack, the best being an update to your phone to patch this. Including that, do follow these tips and good practices we have researched and recommend to better protect your data privacy from potential hackers.

Tip 1. Check if your phone has an update! If not, contact your carrier to ask

The most secure way to protect yourself against this hack is to check whether the update is ready for your phone. To do that, for most phone simply go to “Settings > About phone” and look for an option to check for updates. If you do not see an update or is unsure of how to do this, bring your phone to your carrier and ask them!

Tip 2. Turn off “Auto-retrieve MMS” in Hangouts/Messenger and your other SMS/MMS apps

No matter what SMS/MMS app you use, it is advisable to turn off “Auto-retrieve MMS” in your app Settings until you are absolutely sure it is safe to do otherwise. If you do not see in the main settings page, it is probably hidden in “advanced settings” or something similar. Here’s what it looks like in Google’s Messenger:


Google Messenger: Turning “Auto-retrieve” off.

Tip 3. Stop using Hangouts for SMS/MMS until you get an update with the security fix

Hangouts unfortunately is the main target in the Stagefright hack. If you are using Hangouts for SMS/MMS, here’s what you can do:
Go into “Hangouts > Settings > SMS” and uncheck “Turn on SMS”. There are many other SMS apps on the Play Store and you do not need to stick with Hangouts.

Tip 4. Do not open MMS from unknown numbers

Even if you are not using Hangouts, all the hack needs is an extra step: the user opening the MMS. With that in mind, fight your curiosity – delete suspicious messages (especially from unknown numbers) without opening them.

Tip 5. Encrypt all your important information (such as credit card number, bank account number, passwords) using apps with proper encryption

Do not store private and important information like passwords, bank account numbers, credit card numbers in your smartphone! If you really need to store the information, never store them without encrypting! However, how do you know the apps you are using are secure enough?

For a start, look for the encryption the apps use. “256-bit AES encryption” (think military grade) is an extremely secure encryption which alarmingly not all password management apps provide – it takes roughly 3.31 x 1056 years (yes, 56 zeroes) to break in using a super computer in today’s standards. On top of that, if the apps need you to enter a PIN code, it adds another layer of security over automatic login services and apps.

So are there apps that use it? Yes there are! For example, Password Locker (Free) is one of the most secure yet convenient password manager app, applying 256-bit AES encryption to all information stored in the app. Password Locker also provides a self-destruction option to delete all data if the wrong password is entered too many times.

For Photo and Video encryption needs, Photo Locker (Free) and Video Locker (Free) provides 128-bit AES encryption (roughly 1 x 1018 years to crack – 1 billion billion years! In contrast, the universe is said to be less than 14 billion years old).

Extra Tip: Store personal/private credentials with a simple mental, easy-to-remember mental modification.

Think those crazy number of years to crack is not safe enough for you? There is a little mental hack that you can apply to deter hackers even after they manage to decrypt your precious data – apply a mental “password” to all your credentials!

What do we mean by that? Here’s an example:

  1. Start with a formula that you can remember, for example it can be as simple as “+8”
  2. Apply the formula “+8” to every number-based credential you remember. If your password is 1111, it becomes 1119. (Of course this is just an example – never use such simple passwords)
  3. When you need to use your password, just apply the reverse “-8” and use the password!
  4. This way, even if after 149 trillion years of hacking, the hackers will not get your REAL password/credentials.

Here is what Google said in response to the hack, if you are curious:

…the security of Android users is extremely important to us and so we responded quickly and patches have already been provided to partners that can be applied to any device.

Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult. Android devices also include an application sandbox designed to protect user data and other applications on the device.

Got any pro-tips to add? Discuss below or message us on Facebook/Twitter!

[Source 1, 2, 3]

This post is brought to you by the security/privacy-conscious Password Locker team, dedicated to create the best data protection app. Got suggestions? Let us know! We’re always listening!

(Updated 2/2/16 to refer to the re-written app, Password Locker)


Handy Apps specializes in developing high value apps for the Android platform. Our line of innovative products includes our latest finance manager app Expense IQ.

Tagged with: , , , , , , , , ,
Posted in Blog, News, Password Locker, Photo Locker, Security/Privacy, Video Locker

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow us at:
%d bloggers like this: