Stingray barbs contain various enzymes and other proteins that interact with the human body in complex ways. Stingray wounds can be deep, painful, and easily infected. But the animals themselves are quite docile, and their attacks are almost never fatal.

Another kind of stingray poses wildly different dangers. Electronic devices called stingrays dupe nearby mobile devices into thinking they’re cell towers. When the devices connect, the stingray can extract sensitive information, putting users at risk. Their use is well-known among military and law enforcement operations, but criminals can get their hands on the technology, too. Finally, new devices shipping with Android 16 will employ updated tools that mitigate some of the harm stingrays can do (Source: Android Authority).

Automated alerts of unencrypted, untrustworthy actors

Doing the stingray shuffle

Named after the brand that pioneered them, stingrays fool nearby mobile devices into giving up sensitive information. In particular, the IMSI linking you and your phone to your mobile account can lead to direct identification — in fact, stingray is just a different name for an IMSI catcher. And you don’t need to be a targeted individual to have your identity and location revealed; some stingrays can collect sensitive data from every local device simultaneously. Advanced versions can even instruct your phone to change important settings under the hood and expose you to significant vulnerabilities.

Naturally, the fine, upstanding readers of Android Police reader would never have any reason to fear law enforcement or military operations. But a bad actor getting their hands on a stingray could spell trouble for large swaths of users near the device, or even scarier, individual users being surreptitiously tracked by non-government, non-law-enforcement individuals or organizations.

Google’s been working to add protection from these clandestine surveillance tools for years. Android 12 gave users the ability to disable 2G connectivity, which fights a common IMSI catcher technique of coaxing phones into downgrading to an insecure network protocol. Android 14 followed up by letting users block null ciphers (read: totally unencrypted communications, which malicious software can attack). Android 15 took it further, adding support for notifying the OS when a network asks for your device’s unique identifiers or forces a weaker cipher.

Sounds great, right? Here’s the rub: most of these features depend on a modern modem and version 3.0 of Android’s IRadio HAL (hardware abstraction layer). That’s why even Pixel 9 devices running Android 16 aren’t seeing the new “Mobile network security” page — their hardware simply doesn’t support its advanced functionality. And, thanks to the Google Requirements Freeze program outlining how manufacturers can design hardware for the long term, most currently released phones never will.

In 2021, Qualcomm introduced an SMS service warning users of stingray attacks, but it never caught on.

Currently, only 2G network disabling is readily available on Android devices. From here on out, though, devices with the right modem capabilities will be able to use all three features. The new settings will live under Settings > Security & privacy > Safety Center. There are two subsections:

Notifications: Lets Android alert you when your device connects to an unencrypted network or when a carrier tries to grab your phone’s unique identifiers. Off by default.

Network generation: A toggle for disabling 2G, also off by default — same as the one buried in the SIM settings.

The uncovered menu will only be available on devices that support both 2G disabling and notifications of insecure networks. It doesn’t mention the null cipher protection, which could actually become a universal feature on supported modems. Nowadays, your phone transmits an encrypted copy of your IMSI (instead of a null cipher copy), so a bad actor would need your carrier to decrypt it. That’s exclusively law enforcement and government territory.

Now that the related settings menu has landed in Android 16, after the relevant code was found in Android 15, Google seems to think devices — such as the Pixel 10 — will start supporting the features soon. The bottom line is that Google’s been working to protect users from barely detectable man-in-the-middle attacks from stingrays for quite some time. Until other OEMs ship compatible hardware, though, most of us will have to watch their increased security from the sidelines.