Security researchers have detailed a remote data-wipe attack that can be carried out on some of Samsung’s Android TouchWiz range, including the SGS3, using a single line of code. The vulnerability only seems to apply to handsets that run TouchWiz, not Android handsets in general. For instance, the code has been found to work on the Galaxy S III, Galaxy Beam, S Advance, Galaxy Ace and Galaxy S II, but not the Samsung Galaxy Nexus, which runs stock Android.
The hack was detailed by Ravi Borgaonkar at the Ekoparty security conference, SlashGear reports. Using a single line of USSD code, which could be sent from a website, or pushed to the phone using NFC or a QR code, the attack can reset its target handset with no warning to the user. Once the code has started running, there is no way for the user to stop it and the handset will be wiped. It seems that TouchWiz handsets are vulnerable because they automatically dial the USSD code once it has been entered, whereas stock Android simply holds it in the dialler.
To make things worse, the attack can be doubled up to also kill the SIM card that is being used within the handset. It’s also possible for the handset to be pushed straight to a website running the malicious code using a WAP-push SMS message.
No doubt Samsung will want to address the issue pretty quickly. Given that stock Android is not affected, hopefully it will be a fairly simple update that is needed to fix the problem. As it stands you’ll be unlikely to encounter the threat, but it is advised that you deactivate automatic side-loading in any QR code/NFC reader software that you do run. As always you should be vigilant about opening any unknown links on your handset.
Update: Thanks to Ian for pointing out in the comments that ‘Chrome doesn’t run the USSD code in TEL: links, so changing the default browser to Chrome is probably a good start to avoiding this, at least as a short term workaround.’
See the video below for a demo of ‘Dirty’ USSD codes in action.