25
Sep
home-bugdroid

Update 2: This exploit probably won't work on most Galaxy S III's as long as they have the most recent OTA update, as we demonstrate on video here.

Update: This issue is, unsurprisingly, a lot more nuanced than the video here lets on. The bug is based in the stock Android browser, is in fact quite old, and has been patched in more recent builds of Android - this is probably why Nexus devices running the most recent OTAs are unaffected. The fact is, this is not a Samsung problem, it's an old Android problem that has been known about for some time. More recent versions of Android avoid the wipe issue, but unpatched devices (like some Samsung phones) may still be vulnerable.

Ouch. This is not the type of PR Samsung needs right now. Apparently a new vulnerability has been found that can force a factory reset with zero user interaction on many Samsung phones running TouchWiz. The bug is found within the stock TW browser, which allows direct execution of dialer codes like the one used for this exploit. This code is easily embedded into HTML, so one tap of a malicious link will reset the phone instantly. Other browsers, like Chrome, Dolphin, etc. aren't affected, so we highly recommend switching if you've been using the stock TouchWiz browser.

At this time it's unclear exactly how many Samsung phones are affected, but so far users have been able to reproduce the issue on the Galaxy S II (assume all variants), the Galaxy S Advance, Galaxy Beam, and Galaxy Ace, among others. From what we're hearing, the international GSIII variant should be unaffected, and the AT&T version was updated with a patch for this very exploit last week. It's unknown at this time whether or not the Sprint, Verizon, and T-Mobile variants are susceptible.

We'll keep you updated as more information comes to light.

[The Verge, Engadget]

Cameron Summerson
Cameron is a self-made geek, Android enthusiast, horror movie fanatic, musician, and cyclist. When he's not pounding keys here at AP, you can find him spending time with his wife and kids, plucking away on the 6-string, spinning on the streets, or watching The Texas Chainsaw Massacre on repeat.

  • Liquidretro

    More reason to love a Stock Nexus device. No manufacture skins to mess things up.

  • lennyuk

    This is an issue that affects android as a whole, most stock dialers will allow auto-launching of USSD codes from the browser, the issue is made worse when that device has USSD codes that allow for a factory reset or format without confirmation, Samsung and HTC both do this, not sure on anyone else.

    This goes back as far as Android 2.1 (confirmed on a htc hero running 2,1) maybe earlier, but not been able to find anyone to test.

    THIS IS NOT JUST A SAMSUNG ISSUE!

    Also samsung were informed about this 3 or 4 months ago and have patched it on all new firmware for the Note and S3 (maybe other devices). As far as I know HTC and others are still vulnerable.

    • http://www.androidpolice.com/ David Ruddock

      Thanks lennyuk, we're talking about this with one of in-house experts on the subject and getting this cleared up. Sounds like everyone got this wrong.

    • http://twitter.com/Twitteninja ZZ

      Do you have a link to the original bug on the tracker?

    • http://www.facebook.com/stipe.hodak Stipe Hodak

      Works on HTC Tattoo running Android 1.6.0 as well..

  • cornandbeans

    Now this is why we have to update to latest versions...talking to you OEMs!

  • fixxmyhead

    but i love the touchwiz browser its my favorite one

    • SamTheRecordMan

      haha... good one!

  • br_hermon

    So... I'm running Bugless Beast, built on AOSP and I installed the android browser (not included in the rom). As long as I have an up to date version of Android, I have nothing to worry about right? Even though I have the android browser installed. The problem is old versions of android, not the browser itself right?

  • Dan

    The Sprint S2 is vulnerable.

  • http://www.facebook.com/stipe.hodak Stipe Hodak

    Works on my SGS II in Chrome also (as well as wife's HTC Desire + Chrome), so it's not limited to stock browser. The problem is how the system handles the tel:// tag..

    • Bob

      Yeah, I believe so -- it works for me in Dolphin browser too.

  • Scorpineo

    Stock JB browser doesn't have this issue.

  • Matt

    ill stick with chrome and avast on my HTC One S running AOKP, should be fine

    • http://www.facebook.com/people/At-Rummy/100001252426946 A.t. Rummy

      avast didn't do anything to stop this on my at&t sgs2 (shoStock x2) using chrome. what are your avast settings?

      • http://www.facebook.com/people/Jamille-Browne/1184321457 Jamille Browne

        Anti-virus programs on Androids are merely for show, they don't do anything. This also isn't a virus its a code that is ran on the phones that does it.

  • Simon Belmont

    Haha. I just tried this on stock Android 2.1 with HTC Sense on my old Hero.

    Thankfully I had a Nandroid ready to return to. Hehe.

  • http://twitter.com/TechnoBarnes R Barnes

    watch this video by QBKing 77 the last half contains a work around to prevent this exploit.http://www.youtube.com/watch?v=oPxOWXqj-Ss&feature=g-all-u