There's no fix for Android's Stagefright hack -- Google's patch won't protect you

Think that Google's patch against the Android Stagefright hack will protect you? It won't.

An estimated 950 million Android devices are vulnerable to the Stagefright hack, although Google claims only 10% of that number are vulnerable. But even that number --- 95 million --- is pretty significant.

In the hack, an attacker sends a multimedia messaging service (MMS) message carrying a malicious payload to an Android device. The attacker can then gain access to the system. In some instances, the message doesn't even have to be opened to open the  system to an attack.

Google built a patch to close the hole, and has begun delivering it to devices and to device manufacturers. But there's a big problem with it: It doesn't work. So claims Exodus Intelligence. In its blog, the security company warns:

The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping. The public at large believes the current patch protects them when it in fact does not.

The Stagefright hole was discovered by the mobile security firm Zimperium. Zimperium also created a free Stagefright detector app so people could see whether their systems are vulnerable. But Exodus Intelligence says that if devices use Google's faulty patch, the detector will tell people that their devices are safe, even though they aren't safe.

Exodus says that it's working with Zimperium to fix the detector. But it says that Google, so far, hasn't responded. The security firm ESET says, though, that its free ESET Stagefright Detector will detect Stagefright in all devices running Android 4.0 or greater. You can download it here.

There is something you can do to help protect yourself, disable auto-fetching of MMS on your Android device. You'll have to disable it two places, Google Hangouts and Messages. To disable it in Google Hangouts, first open Hangouts. Then tap Options-->Settings-->SMS. In the General section, look if you have SMS enabled. If you do, go to Advanced and uncheck the box next to Auto Retrieve SMS. That disables auto-fetching in Google Hangouts.

Next open Messages. Tap More-->Settings-->More Settings-->Multimedia Messages. Turn off Auto Retrieve. That disables auto-fetching in Messages.