Samsung moves to fix Android remote wiping threat highlighted by NZ blogger
Click on the wrong web link from your Android phone, and it could factory reset your handset, wiping all your data (for good, if you haven't backed up).
Android phone owners – particularly the Samsung Galaxy S3, but also other phones – are being warned about a malicious threat that could wipe their handset when they use their phone's web browser to visit a website with tel:*2767*3855# in its HTML (the software code used to create web pages).
NZ blogger Dylan Reeve, whose post on a workaround for vulnerability has been picked up by tech sites around the world, including Gizmodo and CNet, explains:
- Phones support special dialing codes called USSDs that can display certain information or perform specific special features. Among these are common ones (*#06# to display IMEI number [a unique 15 digit number that identifies a mobiel device]) and phone specific ones (including, on some phones, a factory reset code).
- There is a URL scheme prefix called tel: which can, in theory, be used to hyperlink to phone numbers. The idea being that clicking on a tel: URL will initiate the phone's dialer to call that number.
- In some phones the dialer will automatically process the incoming number. If it's a USSD code then it will be handled exactly as if it had be keyed in manually, requiring no user intervention to execute.
- A tel: URL can be used by a hostile website as the SRC for an iframe (or potentially other resources like stylesheets or scripts, I guess). It may then be loaded and acted upon with no user intervention at all.
Samsung now says it has it has a fix for the vulnerability for the Galaxy S3 and is encouraging owners to update their phone's Android software (click Apps, About Device, then Software Update). Presumably, it's in the pipeline. When I tried, my S3 said no update was available. For those confident with Android, Reeve has suggested an alternative fix: installing a new dialler.
Read Reeve's latest post on the issue here.
Also check out a simple test page Reeve created here: dylanreeve.com/phone.php.
If you click on it using your Android phone's browser but it makes your phone bring up its dialler (virtual keypad) showing an IMEI code (my S3 did) then you know your handset is vulnerable: