If you have a Samsung mobile phone running Android with the TouchWiz UI, there’s a newly discovered vulnerability that could result in an accidental factory data reset by simply accessing a link from your phone. This includes some Galaxy S II and Galaxy S III devices. UPDATE: Other Android devices not using TouchWiz are also affected.
Update: New reports are saying that the problem started with stock Android diallers that used to auto-launch USSD codes without asking for user confirmation first. Most USSD codes are harmless, and the problem was supposed to have been patched a while ago. The reason why it’s such a big deal on Samsung phones that haven’t been patched yet is because Samsung has specified a USSD code that can trigger a factory reset on its devices. If it requested confirmation as it should, it wouldn’t be such a problem. But combined with Android’s auto execution of USSD codes, you can see how it could be a serious issue. HTC also has its own USSD code to trigger a factory reset on at least some of its devices.
The alarm was raised several months ago and Samsung devices running the latest firmware should be OK, especially if you’re using Jelly Bean. The problem is that Australian units bought on contract could still be waiting for carriers to roll out that update. Aussie carriers are notoriously slow to pass along updates — we even found the vulnerability on a Galaxy S III 4G that has just hit shelves.
If your phone is affected, it will be up to your phone’s manufacturer and your carrier to roll out a patch.
Basically, if you access a web page from your phone containing the specific USSD code in the form of a
tel: URL, it could trigger a factory data reset that wipes your phone back to factory settings. USSD means Unstructured Supplementary Service Data, which is a protocol commonly used by carriers to execute instructions on your phone. You may have used it previously to recharge your prepaid service and check your balance, for example. It appears that Samsung has its own USSD code that instructs the phone to initiate a factory reset.
Normally, the dialler would prompt you to continue, but the TouchWiz dialler is crucially missing that important step and instead automatically executes the code received from other apps on your phone, including the browser. You could potentially even wipe someone else’s phone remotely by simply sending an SMS that links to the trigger code.
The problem reportedly only affects phones using the TouchWiz interface, which is the customised skin Samsung puts on its Android devices. The vulnerability has been confirmed on the Samsung Galaxy II and AT&T’s Samsung Galaxy S III, but it would be wise to assume that any Samsung Android phone running the TouchWiz UI could be affected until we find out otherwise.
Update: One device that is definitely compromised in Australia is the Samsung Galaxy S III 4G (i9305). We have replicated the bug on a Galaxy S III 4G, which is is about to ship on Optus, Telstra and Virgin as a flagship 4G device.
Here’s a list of the other potentially compromised phones:
• Samsung Illusion SCH-I110 (TouchWiz 3.0)
• Samsung Infuse 4G (TouchWiz 3.0)
• Samsung Rugby Smart (TouchWiz 3.0)
• Samsung Droid Charge
• Samsung Galaxy Gio (TouchWiz 3.0)
• Samsung Galaxy Fit (TouchWiz 3.0)
• Samsung Galaxy Mini (TouchWiz 3.0)
• Samsung Galaxy Mini 2 (TouchWiz 3.0)
• Samsung Galaxy 3 (TouchWiz 3.0)
• Samsung Galaxy 5 (TouchWiz 3.0)
• Samsung Captivate Glide (TouchWiz 4.0)
• Samsung Gravity Smart
• Samsung Exhibit II 4G (TouchWiz 4.0)
• Samsung Galaxy Y (TouchWiz 4.0)
• Samsung Galaxy W (TouchWiz 4.0)
• Samsung Galaxy R (TouchWiz 4.0)
• Samsung Galaxy Ace (TouchWiz 3.0)
• Samsung Galaxy Ace Plus (TouchWiz 4.0)
• Samsung Galaxy Ace 2 (TouchWiz 4.0)
• Samsung Galaxy Pro (TouchWiz UI v3.0)
• Samsung Galaxy Pocket
• Samsung Galaxy S (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Blaze 4G (TouchWiz 4.0)
• Samsung Galaxy S Duos (TouchWiz 4.0)
• Samsung Galaxy SL I9003 (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Plus (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Advance (TouchWiz 4.0)
• Samsung Galaxy S II (TouchWiz 4.0)
• Samsung Galaxy S II Skyrocket (TouchWiz 4.0)
• Samsung Galaxy S III (TouchWiz Nature UX)
Update: According to Dylan Reeve, “Samsung have been aware of this issue for a few months and the latest firmware for Galaxy S3 (4.0.4) appears to resolve the issue.”
Update 2: Dylan also points out that you can avoid the problem if you install an alternative dialer application through Google Play. He says he used Dialer One.
It’s still not clear yet if the bug affects certain versions of TouchWiz or all of them, or if the problem is limited to certain regions or carriers. Samsung phones running stock Android are apparently not affected. For now, you can minimise exposure by using an alternative dialler (like the one mentioned above) that doesn’t execute USSD codes automatically. And backup your device as soon as you can.
Update: The security researcher who first raised the alarm has a test link that will tell you if your phone is affected or not. Click on this link from your phone. If you see your IMEI code pop up, your phone is vulnerable and will need to be patched.