Security Bug Could Wipe Your Android Phone [Updated: Not Just Samsung!]

If you have a Samsung mobile phone running Android with the TouchWiz UI, there's a newly discovered vulnerability that could result in an accidental factory data reset by simply accessing a link from your phone. This includes some Galaxy S II and Galaxy S III devices. UPDATE: Other Android devices not using TouchWiz are also affected.


Update: New reports are saying that the problem started with stock Android diallers that used to auto-launch USSD codes without asking for user confirmation first. Most USSD codes are harmless, and the problem was supposed to have been patched a while ago. The reason why it's such a big deal on Samsung phones that haven't been patched yet is because Samsung has specified a USSD code that can trigger a factory reset on its devices. If it requested confirmation as it should, it wouldn't be such a problem. But combined with Android's auto execution of USSD codes, you can see how it could be a serious issue. HTC also has its own USSD code to trigger a factory reset on at least some of its devices.

The alarm was raised several months ago and Samsung devices running the latest firmware should be OK, especially if you're using Jelly Bean. The problem is that Australian units bought on contract could still be waiting for carriers to roll out that update. Aussie carriers are notoriously slow to pass along updates — we even found the vulnerability on a Galaxy S III 4G that has just hit shelves.

If your phone is affected, it will be up to your phone's manufacturer and your carrier to roll out a patch.


Basically, if you access a web page from your phone containing the specific USSD code in the form of a tel: URL, it could trigger a factory data reset that wipes your phone back to factory settings. USSD means Unstructured Supplementary Service Data, which is a protocol commonly used by carriers to execute instructions on your phone. You may have used it previously to recharge your prepaid service and check your balance, for example. It appears that Samsung has its own USSD code that instructs the phone to initiate a factory reset.

Normally, the dialler would prompt you to continue, but the TouchWiz dialler is crucially missing that important step and instead automatically executes the code received from other apps on your phone, including the browser. You could potentially even wipe someone else's phone remotely by simply sending an SMS that links to the trigger code.

The problem reportedly only affects phones using the TouchWiz interface, which is the customised skin Samsung puts on its Android devices. The vulnerability has been confirmed on the Samsung Galaxy II and AT&T's Samsung Galaxy S III, but it would be wise to assume that any Samsung Android phone running the TouchWiz UI could be affected until we find out otherwise.

Update: One device that is definitely compromised in Australia is the Samsung Galaxy S III 4G (i9305). We have replicated the bug on a Galaxy S III 4G, which is is about to ship on Optus, Telstra and Virgin as a flagship 4G device.

Here's a list of the other potentially compromised phones: • Samsung Illusion SCH-I110 (TouchWiz 3.0) • Samsung Infuse 4G (TouchWiz 3.0)[4] • Samsung Rugby Smart (TouchWiz 3.0) • Samsung Droid Charge • Samsung Galaxy Gio (TouchWiz 3.0) • Samsung Galaxy Fit (TouchWiz 3.0) • Samsung Galaxy Mini (TouchWiz 3.0) • Samsung Galaxy Mini 2 (TouchWiz 3.0) • Samsung Galaxy 3 (TouchWiz 3.0) • Samsung Galaxy 5 (TouchWiz 3.0) • Samsung Captivate Glide (TouchWiz 4.0) • Samsung Gravity Smart • Samsung Exhibit II 4G (TouchWiz 4.0) • Samsung Galaxy Y (TouchWiz 4.0) • Samsung Galaxy W (TouchWiz 4.0) • Samsung Galaxy R (TouchWiz 4.0) • Samsung Galaxy Ace (TouchWiz 3.0) • Samsung Galaxy Ace Plus (TouchWiz 4.0) • Samsung Galaxy Ace 2 (TouchWiz 4.0) • Samsung Galaxy Pro (TouchWiz UI v3.0) • Samsung Galaxy Pocket • Samsung Galaxy S (TouchWiz 3.0 / TouchWiz 4.0) • Samsung Galaxy S Blaze 4G (TouchWiz 4.0) • Samsung Galaxy S Duos (TouchWiz 4.0) • Samsung Galaxy SL I9003 (TouchWiz 3.0 / TouchWiz 4.0) • Samsung Galaxy S Plus (TouchWiz 3.0 / TouchWiz 4.0) • Samsung Galaxy S Advance (TouchWiz 4.0) • Samsung Galaxy S II (TouchWiz 4.0) • Samsung Galaxy S II Skyrocket (TouchWiz 4.0) • Samsung Galaxy S III (TouchWiz Nature UX)

Update: According to Dylan Reeve, "Samsung have been aware of this issue for a few months and the latest firmware for Galaxy S3 (4.0.4) appears to resolve the issue."

Update 2: Dylan also points out that you can avoid the problem if you install an alternative dialer application through Google Play. He says he used Dialer One.

It's still not clear yet if the bug affects certain versions of TouchWiz or all of them, or if the problem is limited to certain regions or carriers. Samsung phones running stock Android are apparently not affected. For now, you can minimise exposure by using an alternative dialler (like the one mentioned above) that doesn't execute USSD codes automatically. And backup your device as soon as you can.

Update: The security researcher who first raised the alarm has a test link that will tell you if your phone is affected or not. Click on this link from your phone. If you see your IMEI code pop up, your phone is vulnerable and will need to be patched.

[Pau Oliva and Ekoparty via Twitter via The Verge]


Comments

    Well played apple. Well played.

      not really. Perhaps if it was an Android exploit. But this is a TouchWiz exploit.

      Just goes to show, once again, what a dumb idea these 3rd party skinjobs for android are. Android is perfectly fine, why do Samsung, HTC etc need to throw their own crapware on? (Okay HTC's is the least bad but TouchWiz is frankly awful).

      Apple? No, it's clearly Julia Gillard's fault.

        That bitch

    Really though, a lot of these stories get about of virus attacks on android. Even my own HTC Desire S does funny things like self installs new icons for games that I didn't buy or download and receive spam by the bucketload. I havent downloaded any new software for it in 12 months. Don't know how to clean it up so I just delete these new self installing apps every 2 days and ignore the spam.

    My wife doesn't have these problems. I bet you can guess which phone she's got.

      haha I would guess but it would set of the trolls.

        Pfft clearly a sony ericsson.

      One of the apps you have downloaded does this. Just change all the permissions

    Given the photos, contacts, data that could be lost - I can't really fathom the impact this could have on Samsung. They could end up in courts for the next 10 years defending claims based on this vulnerability.

      The solution is called BACKUP, BACKUP BACKUP! I can't see why Samsung would have to defend any more than than Microsoft would have to defend against data loss from a major BSOD or any other system crash, for example. The beauty about Android is that there are multiple ways of backing up.

    just tried the updated link and the imei popped up on my telstra htc sensation

    IMEI number showed up on my htc sensation xe.

    Doesnt work on my S3 JB 4.1.1

    SGS2 GT-i9100 running Cyanogenmod 9.1.0

    clicked the link and opened it in the stock dialer app and my IMEI code popped up
    clicked the link and opened it up in Go Dialer and my IMEI code did NOT come up

    IMEI came up on my custom rom'ed Telstra HTC One XL.....

    I'm just waiting for Apple to patent this and sue Samsung.

    iDelete - all the rage!

      Dont forget who struck first in the patent war.

    GS2 running custom ROM based on Android 4.0.4
    Still have the problem, which is odd because this ROM uses a modified dialler (I guess it's still the stock one though).

    Samsung Mini (don't laugh) - opened the IMEI. Quickly installed Dialer One, which doesn't. Yay for being always online.

    Any suggestions on how to blast the stock dialler of my phone? It's rooted (I'll beat you all to the punch by saying yes, as a Mini, I know it's rooted in more ways than one).

    Follow the instructions at

    http://news.ycombinator.com/item?id=4569686

    and install this

    https://play.google.com/store/apps/details?id=net.gicode.android.autoresetblocker

    It intercepts the suspect call to the dialer and displays the code being attempted and stops it. Means you may be able to keep your existing dialer until a proper patch is released.

    Tested on Galaxy S2 and works fine

    My Galaxy Nexus running stock 4.0.4 from Telstra showed the IMEI Number on the test site... not liking the look of this...

    But it appears to be venerable to the same issues if it executes USSD Codes automatically... unless there isn't a USSD code for factory reset on stock android...

    Hi there,

    Just wanted to let you know that we (Bitdefender) already released a tool on the Play Store that protects against this vulnerability. Now, once you would tap on a exploiting link, Bitdefender will intercept the wipe command and ask you to decide what to do next. You may, if unsure, dismiss the USSD command.

    You can download it from: http://bit.ly/BD_USSD_Wipe_Stopper

    /Alin Vlad
    Global Social Media Coordinator at Bitdefender

    Samsung Galaxy Y Young running 2.3.6 affected. The test page didn't work for me until I used my native browser to access it instead of Opera Mini, though, so another option may be to use a third party browser. As to USSD blockers, I prefer TelStop. Light, requires no permissions, and pops up when a number is auto-dialled with or without your input. Very safe.

Join the discussion!

Trending Stories Right Now