Security Bug Can Wipe Out Your Android Phone By Visiting a Web Page (Update 3)

Illustration for article titled Security Bug Can Wipe Out Your Android Phone By Visiting a Web Page (Update 3)

Beware, Samsung customers! If you have a Samsung Android-based phone running their TouchWiz user interface, your telephone can be wiped out by going to any web page that contains the code "tel:*2767*3855%23" in an HTML frame.


Important update: It's not only Samsung with TouchWiz. Apparently it's happening with other Android phones too.

The vulnerability has been confirmed on the Samsung Galaxy II and AT&T's Samsung Galaxy S III, but it's probably common to any Samsung Android phone running the TouchWiz UI.

Here's how it works: the HTML frame loads a tel: URL. This url tells the telephone that its content is a clickable telephone number. However, instead of a phone number, the URL contains a special USSD code that tells the phone to wipe out itself. USSD means Unstructured Supplementary Service Data, special number sequences used by phone carriers to execute instructions in your phone.

Warning, don't click this from a Android phone: This page contains the code.

Here's a list of the potentially compromised phones:

• Samsung Illusion SCH-I110 (TouchWiz 3.0)
• Samsung Infuse 4G (TouchWiz 3.0)[4]
• Samsung Rugby Smart (TouchWiz 3.0)
• Samsung Droid Charge
• Samsung Galaxy Gio (TouchWiz 3.0)
• Samsung Galaxy Fit (TouchWiz 3.0)
• Samsung Galaxy Mini (TouchWiz 3.0)
• Samsung Galaxy Mini 2 (TouchWiz 3.0)
• Samsung Galaxy 3 (TouchWiz 3.0)
• Samsung Galaxy 5 (TouchWiz 3.0)
• Samsung Captivate Glide (TouchWiz 4.0)
• Samsung Gravity Smart
• Samsung Exhibit II 4G (TouchWiz 4.0)
• Samsung Galaxy Y (TouchWiz 4.0)
• Samsung Galaxy W (TouchWiz 4.0)
• Samsung Galaxy R (TouchWiz 4.0)
• Samsung Galaxy Ace (TouchWiz 3.0)
• Samsung Galaxy Ace Plus (TouchWiz 4.0)
• Samsung Galaxy Ace 2 (TouchWiz 4.0)
• Samsung Galaxy Pro (TouchWiz UI v3.0)
• Samsung Galaxy Pocket
• Samsung Galaxy S (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Blaze 4G (TouchWiz 4.0)
• Samsung Galaxy S Duos (TouchWiz 4.0)
• Samsung Galaxy SL I9003 (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Plus (TouchWiz 3.0 / TouchWiz 4.0)
• Samsung Galaxy S Advance (TouchWiz 4.0)
• Samsung Galaxy S II (TouchWiz 4.0)
• Samsung Galaxy S II Skyrocket (TouchWiz 4.0)
• Samsung Galaxy S III (TouchWiz Nature UX)

It's still not clear yet if the bug affects certain versions of TouchWiz or all of them.

We will keep updating this with new developments. If you have a Samsung phone and a backup and want to test it, please post the results in the comments or write to [Pau Oliva and Ekoparty via Twitter via The Verge]


Update: According to Dylan Reeve, "Samsung have been aware of this issue for a few months and the latest firmware for Galaxy S3 (4.0.4) appears to resolve the issue."

Update 2: Dylan also points out that you can avoid the problem if you install an alternative dialer application through Google Play. He says he used Dialer One.


Update 3: Dylan reports that the security bug is not limited to Samsung phones:

The remote USSD vulnerability I detailed in my last post (and now covered widely in the tech media) is not just a Samsung problem. The same general vulnerability (executing a USSD code without user intervention from a website, or other delivery vector) affects many phones. I've personally verified it on an HTC One X (running HTC Sense 4.0 on Android 4.0.3) and a Motorola Defy (running Cyanogen Mod 7 on Android 2.3.5).



Why would you put the actual link in the article? WTF?