25
Sep
IMG_1429

Update: We have confirmation that this exploit is also fixed in Jelly Bean, as well, so any device running Android 4.1 should be safe.

There has been a lot of misinformation floating around this morning about an alleged "exploit" on Samsung phones that allows the entire device to be wiped from the browser using what's called a USSD code. Basically, a bit of Android intent code cleverly placed in a web page can call up your dialer and insert a code that wipes the whole device (the USSD code), all without you ever confirming anything.

Unfortunately, everyone (ourselves included) kind of jumped the gun on this without consulting the experts first, and things are more complicated than we thought. Some outlets are reporting that this glitch affects the Samsung Galaxy S III (such as the AT&T version here in the US), but our own evidence suggests otherwise. Here's a stock AT&T Galaxy S III on the latest OTA update (issued last week) initiating the exploit - it doesn't work. It just goes to a blank dialer.

We know for a certainty that an update to the unlocked international version of the Galaxy S III (an Ice Cream Sandwich incremental patch) was issued some time ago that addressed this exploit as well. We cannot speak with absolute authority as to whether all Samsung Galaxy S III's have had this fixed, as the carrier update rollout process can result in significant delays in this regard.

What we do know is that every variant of the Galaxy S III in the United States received very similar OTA updates in the last few weeks (see: Verizon, T-Mobile, Sprint, AT&T). And if the exploit isn't working in the most recent AT&T OTA, it's probably fair to assume the same fixes were contained in all three other carriers' updates. So, if your GS3 is up to date, you're probably not vulnerable.

We've also heard the issue has been patched in newer updates on phones like the Galaxy Reverb, so it's clear Samsung is very much aware of the problem, and has already started addressing it on multiple pieces of hardware.

And, as we said in our initial post - this isn't even a Samsung issue, strictly speaking. It's an Android one that has been known for ages, and manufacturers have been extremely slow to patch it. Nexus devices seem unaffected, but any unpatched device could be vulnerable (from any manufacturer) if the correct USSD code was pasted in place of the Samsung one that has been widely reported this morning. It would not be rocket science, then, to make this exploit work on an HTC device (we're hearing this is unpatched on all HTC phones).

Is this still a bad exploit? Definitely. Especially if you're on a still-vulnerable Samsung device (as some GS3's may very well be in some regions). But Samsung has obviously been on the case for some time, quietly patching it up. We'll let you know if we learn anything else.

David Ruddock
David's phone is whatever is currently sitting on his desk. He is an avid writer, and enjoys playing devil's advocate in editorials, and reviewing the latest phones and gadgets. He also doesn't usually write such boring sentences.

  • Droid

    Galaxy S II phones are still wide open and vulnerable to this. Big time.

    • http://twitter.com/TeamAndIRC Justin Case

      So are HTC, ZTE, etc etc. At least Samsung is pushing out fixes.

  • http://www.facebook.com/jake.brandon1 Jake Brandon

    You didn't hear that Apple has its own team working on viruses to target android devices especially the GS3?

  • Kernschatten

    Nice job providing the extra clarifcation. It really sets you guys apart.

    A lot of other sites just yell "The sky is falling!" and never follow up.

  • http://www.facebook.com/stipe.hodak Stipe Hodak

    All Samsung and HTC devices running Android up to 4.0.3 (including Cyanogen and other mods) are vunerable. Untill we get a patch, the workaround is to install a second dialer app (like CallApp) and when the code executes, you first have to select the dialer (which, using common sense, should be a good indication that upon browsing a website, you don't need a dialer so you can cancel the request).

  • http://twitter.com/artesea Ryan Cullen

    Your phone is only at risk if a USSD command can do harm. On the Samsung phones this can mean Factory Reset. However fir others not seen anything as damaging.

    • http://dylanreeve.com/ Dylan Reeve

      Samsung and HTC both have factory reset codes on some devices at least. There are also other harmful or at least annoying codes that can be executed.

  • http://www.facebook.com/profile.php?id=1745689461 Hal Motley

    I have two questions about this:

    1. Does this affect CyanogenMod (it shouldn't, but to be on the safe side)?

    2. Does this affect CDMA variants of the Galaxy S II?

    • http://www.facebook.com/daniel.streit.35 Daniel Streit

      Tested something like that with a testwebpage i found somewhere. Didnt work in Cm10... didnt want auto dial the Ussd Code.. After doing it on Purpose i got an Error Message.

      • http://dylanreeve.com/ Dylan Reeve

        I tested CyanogenMod 7 on an older Motorola Defy and found the vulnerability. As the core Android dialer was patched about 3 months ago it is unlikely to affect the newest builds.

        • http://www.facebook.com/profile.php?id=1745689461 Hal Motley

          Thanks for the clarification!

  • Nicola B.

    Lastes italian firmware it not vulnerable

    Galaxy S3 - I9300XXBLH1

  • AussieDude1284
    • blunden

      If they had done any research they would've known why their "proof" makes no sense. Entering the code manually is supposed to work and does work on most, if not all phones out there regardless of platform. The exploit was that it could be triggered via intents.

  • http://www.facebook.com/profile.php?id=568326659 Xavier Grosjean

    I have 4.0.4 on GS3 in France, and it still is vulnerable.
    Fortunately, installing another Dialer app is a workaround (even if not using it!)

  • blunden

    I backported the fixes to CM9 if someone wants to try it. They are as of yet untested.

    http://review.cyanogenmod.com/#/c/23952/

  • http://profiles.google.com/rhippert02 Russell Hippert

    This is an Android issue not just Samsung. From what I'm seeing (as in actually seeing it happen) is anything GB based is most likely affected. Even some ICS based ROMs are affected (both stock and AOSP). This is very not cool.

Quantcast