Android Security Flaw Can Wipe You Clean. Let's Be Careful Out There!

By Peter Bernstein September 27, 2012

As an avowed 4G LTE Android enthusiast, I will confess to an obsession with anything that might pose a threat to my smartphone. It was thus with more than a bit of consternation that I read a series of articles in the past few days about a newly discovered Android security flaw that literally with a click can wipe out/wipe clean your device. Ouch!

The original item appeared on a site I visit often, Gizmodo, an admittedly Apple-biased place but one where there are always interesting tips on new things I can do with my device as Apple to the core fanatics can do with theirs.

Author Jesus Diaz deserves credit for uncovering the flaw. It has been confirmed on the Samsung’s popular Galaxy II and AT&T’s Galaxy SIII phones along with any Samsung Android phones running the its TouchWiz user interface (UI). It also evidently has been known as an issue by Samsung for a while, and is not confined to their products alone.

Beware! How it works

The simple explanation that everyone needs to know is that by surfing via TouchWiz to any web page that contains the code “tel:*2767*3855%23" in an HTML frame,” you will have a lot more than your clock cleaned. It will be in fact your worst nightmare.

For those who want some technical details the way in which this nasty boy works is as follows: The HTML frame loads a tel: URL. This URL tells the device its content is a clickable telephone number. However, instead of a phone number, the URL contains a special USSD code that tells the phone to wipe out itself.

As Diaz notes, the term USSD means Unstructured Supplementary Service Data. This is a special number sequence that is used by wireless service providers to execute instructions in your phone. He also was kind enough to provide a list of phones that have been compromised:

Here's a list of the potentially compromised phones:

• Samsung Illusion SCH-I110 (TouchWiz 3.0)
• Samsung Infuse 4G (TouchWiz 3.0)[4]
• Samsung Rugby Smart (TouchWiz 3.0)
• Samsung Droid Charge
• Samsung Galaxy Gio (TouchWiz 3.0)
• Samsung Galaxy Fit (TouchWiz 3.0)
• Samsung Galaxy Mini (TouchWiz 3.0)
• Samsung Galaxy Mini 2 (TouchWiz 3.0)
• Samsung Galaxy 3 (TouchWiz 3.0)
• Samsung Galaxy 5 (TouchWiz 3.0)
• Samsung Captivate Glide (TouchWiz 4.0)
• Samsung Gravity Smart
• Samsung Exhibit II 4G (TouchWiz 4.0)
• Samsung Galaxy Y (TouchWiz 4.0)
• Samsung Galaxy W (TouchWiz 4.0)
• Samsung Galaxy R (TouchWiz 4.0)
• Samsung Galaxy Ace (TouchWiz 3.0)
• Samsung Galaxy Ace Plus (TouchWiz 4.0)
• Samsung Galaxy Ace 2 (TouchWiz 4.0)
• Samsung Galaxy Pro (TouchWiz UI v3.0)
• Samsung Galaxy Pocket
• Samsung Galaxy S (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Blaze 4G (TouchWiz 4.0)
• Samsung Galaxy S Duos (TouchWiz 4.0)
• Samsung Galaxy SL I9003 (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Plus (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Advance (TouchWiz 4.0)
• Samsung Galaxy S II (TouchWiz 4.0)
• Samsung Galaxy S II Skyrocket (TouchWiz 4.0)
• Samsung Galaxy S III (TouchWiz Nature UX)

Unfortunately (and this included me), reader Dylan Reeve says that the problem —executing a USSD code without user intervention from a website, or other delivery vector — in his experience also affects an HTC One X (running HTC Sense 4.0 on Android 4.0.3) and a Motorola Defy (running Cyanogen Mod 7 on Android 2.3.5). Mr. Reeve also was kind enough to suggest that if you are running the latest firmware for Galaxy S3 (4.0.4) you should not have a problem, and that the issue can be avoided by installing an alternative dialer app from Google Play.

Reeve is not the only one offering advice on what to do if you are nervous. Lots of people have weighed in. The consensus seems to be to do what may appear to be obvious but is good practice in any event.

1.       Always avoid links that you are suspect of. I know from a bad click on Twitter just how bad things can get in a hurry.

2.       Yes, by all means use an alternative dialer app for making calls that will not automatically execute the USSD instructions.

3.       Make sure you have the latest firmware for your phone.

4.       Make a daily backup of your phone to your computer so in the event of disaster you can be back in action quickly.

If you have questions as to whether you are running the latest firmware do the following: load your phone's Setting app and scroll down to About Device. Tap that, then the Software Update tab at the top of the next screen that appears. Then, tap Update on the following screen. Your phone will check for updates and install the latest if you're running an older version.

After reading the various items on this I followed the instructions above and to my relief I was on the latest firmware and until the next flaw is found have a lot more peace of mind. This really is a case where as the old bromide goes, “an ounce of prevention is worth a pound of cure.”  



SHARE THIS ARTICLE
Related Articles

Top 3 Takeaways from Microsoft Ignite

By: Special Guest    10/2/2017

Microsoft Ignite wrapped up last week in Orlando. At the company's big conference dedicated to IT professionals and developers, 25,000 business custom…

Read More

Millennials Want Smart Home Tech More Than Anyone

By: Larry Alton    10/2/2017

Millennials are known for having very specific interests. They also hold a significant level of buying power in certain markets, particularly technolo…

Read More

SpaceX Names Satellite Broadband Service, Works FCC Connect America

By: Doug Mohney    9/29/2017

"Starlink" is the potential title for SpaceX's massive satellite network to deliver high-speed Internet access, reports Florida Today. The company has…

Read More

New Apple iPhone X as Much Hype as Innovation

By: Doug Mohney    9/28/2017

Apple is counting on it with the iPhone X -- the "X" symbolizing the 10th anniversary of the iPhone. Fans of the company are falling all over themselv…

Read More

Alexa and the PBX, Coming Soon

By: Doug Mohney    9/28/2017

This week, Amazon unloaded a ton of Alexa-enabled Echo gizmos, including the Echo Connect. Shipping on December 13, 2017 (just before the holiday seas…

Read More