Yesterday an Android Vulnerability on Samsung phones was reported which allows malicious website to wipe a user’s device.
The alleged vulnerability was not limited to Samsung devices. The later reports says that the issue extends beyond Samsung’s products but also exists on many more devices. It is been confirmed that HTC Desire running on Android 2.2, HTC One X running HTC Sense 4.0 and a Motorola Defy running a version of CyanogenMod are also found vulnerable by Dylan Reeve, the one who reported the vulnerability. The USSD code to factory data reset a Galaxy S3 is *2767*3855# can be triggered from browser like this: <frame src=”tel:*2767*3855%23″ />. It is not limited to an a link pointing to an iframe, but can also be exploited via WAP push SMS, QR Codes etc.. Phones with the Near Field Communications (NFC) feature could also be attacked.
The vulnerability exploits the Unstructured Supplementary Service Data (USSD) codes, a protocol that allows phones to communicate with telecom provider’s computers for a range of services and is primarily used to top up prepay phones, check balances, contact customer care and a wide variety of services. However, USSD codes can also be used to activate features on the phones themselves, including initiating a factory reset, wipe data from internal memory, lock out the user, lock simcard and deactivate it etc…
Though the vulnerability is new to the public, it was reported at Ekoparty 2012 by Ravi Borgaonkar, here is the video being performed at Ekoparty, http://www.youtube.com/watch?v=Q2-0B04HPhs.
To test whether your device is vulnerable to the attack, use this link http://dylanreeve.com/phone.php
There are confirmed reports that even though your stock dialer is not vulnerable, the third-party dialer applications you have installed can be vulnerable to the attack. For example, the stock dialer with ICS 4.0.4 on a SonyEricsson xperia mini pro does not allow USSD code to run automatically, but when used with Firefox and exDialer v107, the phone becomes vulnerable but not with Opera Mobile. But stil the easiest way to mitigate the risk is to install another dialer: if someone’s trying to exploit this vulnerability, your phone you’ll simply get a “Complete Action Using” dialog and you can dismiss the dialog before the USSD get executed.
Revoking CALL_PHONE permissions for any html rendering application can also be a good idea until the fix comes over the air
The problem was identified and patched three months ago. here is the Google Android bug id. If you are a developer you might be wondering about the fix google introduced. Check it out here. Anyway, Android updates comes so rarely because of the very slow update process by vendors and that even high-end phones can still be wiped by clicking on a link. So make sure you are not letting your device fall into the hands of the hackers by visiting unwanted links.
