Android Security Flaw Can Wipe You Clean. Let's Be Careful Out There!

By Peter Bernstein September 27, 2012

As an avowed 4G LTE Android enthusiast, I will confess to an obsession with anything that might pose a threat to my smartphone. It was thus with more than a bit of consternation that I read a series of articles in the past few days about a newly discovered Android security flaw that literally with a click can wipe out/wipe clean your device. Ouch!

The original item appeared on a site I visit often, Gizmodo, an admittedly Apple-biased place but one where there are always interesting tips on new things I can do with my device as Apple to the core fanatics can do with theirs.

Author Jesus Diaz deserves credit for uncovering the flaw. It has been confirmed on the Samsung’s popular Galaxy II and AT&T’s Galaxy SIII phones along with any Samsung Android phones running the its TouchWiz user interface (UI). It also evidently has been known as an issue by Samsung for a while, and is not confined to their products alone.

Beware! How it works

The simple explanation that everyone needs to know is that by surfing via TouchWiz to any web page that contains the code “tel:*2767*3855%23" in an HTML frame,” you will have a lot more than your clock cleaned. It will be in fact your worst nightmare.

For those who want some technical details the way in which this nasty boy works is as follows: The HTML frame loads a tel: URL. This URL tells the device its content is a clickable telephone number. However, instead of a phone number, the URL contains a special USSD code that tells the phone to wipe out itself.

As Diaz notes, the term USSD means Unstructured Supplementary Service Data. This is a special number sequence that is used by wireless service providers to execute instructions in your phone. He also was kind enough to provide a list of phones that have been compromised:

Here's a list of the potentially compromised phones:

• Samsung Illusion SCH-I110 (TouchWiz 3.0)
• Samsung Infuse 4G (TouchWiz 3.0)[4]
• Samsung Rugby Smart (TouchWiz 3.0)
• Samsung Droid Charge
• Samsung Galaxy Gio (TouchWiz 3.0)
• Samsung Galaxy Fit (TouchWiz 3.0)
• Samsung Galaxy Mini (TouchWiz 3.0)
• Samsung Galaxy Mini 2 (TouchWiz 3.0)
• Samsung Galaxy 3 (TouchWiz 3.0)
• Samsung Galaxy 5 (TouchWiz 3.0)
• Samsung Captivate Glide (TouchWiz 4.0)
• Samsung Gravity Smart
• Samsung Exhibit II 4G (TouchWiz 4.0)
• Samsung Galaxy Y (TouchWiz 4.0)
• Samsung Galaxy W (TouchWiz 4.0)
• Samsung Galaxy R (TouchWiz 4.0)
• Samsung Galaxy Ace (TouchWiz 3.0)
• Samsung Galaxy Ace Plus (TouchWiz 4.0)
• Samsung Galaxy Ace 2 (TouchWiz 4.0)
• Samsung Galaxy Pro (TouchWiz UI v3.0)
• Samsung Galaxy Pocket
• Samsung Galaxy S (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Blaze 4G (TouchWiz 4.0)
• Samsung Galaxy S Duos (TouchWiz 4.0)
• Samsung Galaxy SL I9003 (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Plus (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Advance (TouchWiz 4.0)
• Samsung Galaxy S II (TouchWiz 4.0)
• Samsung Galaxy S II Skyrocket (TouchWiz 4.0)
• Samsung Galaxy S III (TouchWiz Nature UX)

Unfortunately (and this included me), reader Dylan Reeve says that the problem —executing a USSD code without user intervention from a website, or other delivery vector — in his experience also affects an HTC One X (running HTC Sense 4.0 on Android 4.0.3) and a Motorola Defy (running Cyanogen Mod 7 on Android 2.3.5). Mr. Reeve also was kind enough to suggest that if you are running the latest firmware for Galaxy S3 (4.0.4) you should not have a problem, and that the issue can be avoided by installing an alternative dialer app from Google Play.

Reeve is not the only one offering advice on what to do if you are nervous. Lots of people have weighed in. The consensus seems to be to do what may appear to be obvious but is good practice in any event.

1.       Always avoid links that you are suspect of. I know from a bad click on Twitter just how bad things can get in a hurry.

2.       Yes, by all means use an alternative dialer app for making calls that will not automatically execute the USSD instructions.

3.       Make sure you have the latest firmware for your phone.

4.       Make a daily backup of your phone to your computer so in the event of disaster you can be back in action quickly.

If you have questions as to whether you are running the latest firmware do the following: load your phone's Setting app and scroll down to About Device. Tap that, then the Software Update tab at the top of the next screen that appears. Then, tap Update on the following screen. Your phone will check for updates and install the latest if you're running an older version.

After reading the various items on this I followed the instructions above and to my relief I was on the latest firmware and until the next flaw is found have a lot more peace of mind. This really is a case where as the old bromide goes, “an ounce of prevention is worth a pound of cure.”  



SHARE THIS ARTICLE
Related Articles

LTE Broadcast, IndyCar Racing, and Blending the Best of TV and Stadium Viewing

By: Rob Enderle    9/1/2015

This last weekend I was at the IndyCar race in Sonoma to see Verizon and Qualcomm showcase LTE Broadcast-I also wanted to see the race. I've watched N…

Read More

Windows 95 to Windows 10: How Far We Have Come in 20 Years

By: Rob Enderle    9/1/2015

Last week was the anniversary of Windows 95, which was actually a life-changing launch for me. I'd just started out as an analyst, and Windows 95 was …

Read More

Microsoft Research Project Allows for Inexpensive 3D Scanning from a Smartphone

By: Christopher Mohr    8/27/2015

It is now possible to perform 3D scanning from a smartphone, without additional hardware or an Internet connection, thanks to a new Microsoft Research…

Read More

Amazon's Scaled Back Consumer Device Efforts, Dash Button, and More

By: Paula Bernier    8/27/2015

Word is that Amazon is scaling way back on its consumer devices efforts, having let go of dozens of Lab126 engineers who worked on its Fire phone, acc…

Read More

The 4K War is Brewing, but Don't Expect a Crowned Winner

By: Special Guest    8/27/2015

The hype around 4K Ultra HD video is growing and we're seeing it gain traction in real ways. From the NFL Network and CBS using 4K cameras to capture …

Read More