Update: We have confirmation that this exploit is also fixed in Jelly Bean, as well, so any device running Android 4.1 should be safe.
Auto-executing USSD codes is an Android bug that was fixed in Jelly Bean, see last 3 commit: android.googlesource.com/platform/packa…
— Nagy Ferenc László (@nflnfl) September 25, 2012
There has been a lot of misinformation floating around this morning about an alleged "exploit" on Samsung phones that allows the entire device to be wiped from the browser using what's called a USSD code. Basically, a bit of Android intent code cleverly placed in a web page can call up your dialer and insert a code that wipes the whole device (the USSD code), all without you ever confirming anything.
Unfortunately, everyone (ourselves included) kind of jumped the gun on this without consulting the experts first, and things are more complicated than we thought. Some outlets are reporting that this glitch affects the Samsung Galaxy S III (such as the AT&T version here in the US), but our own evidence suggests otherwise. Here's a stock AT&T Galaxy S III on the latest OTA update (issued last week) initiating the exploit - it doesn't work. It just goes to a blank dialer.
We know for a certainty that an update to the unlocked international version of the Galaxy S III (an Ice Cream Sandwich incremental patch) was issued some time ago that addressed this exploit as well. We cannot speak with absolute authority as to whether all Samsung Galaxy S III's have had this fixed, as the carrier update rollout process can result in significant delays in this regard.
What we do know is that every variant of the Galaxy S III in the United States received very similar OTA updates in the last few weeks (see: Verizon, T-Mobile, Sprint, AT&T). And if the exploit isn't working in the most recent AT&T OTA, it's probably fair to assume the same fixes were contained in all three other carriers' updates. So, if your GS3 is up to date, you're probably not vulnerable.
We've also heard the issue has been patched in newer updates on phones like the Galaxy Reverb, so it's clear Samsung is very much aware of the problem, and has already started addressing it on multiple pieces of hardware.
And, as we said in our initial post - this isn't even a Samsung issue, strictly speaking. It's an Android one that has been known for ages, and manufacturers have been extremely slow to patch it. Nexus devices seem unaffected, but any unpatched device could be vulnerable (from any manufacturer) if the correct USSD code was pasted in place of the Samsung one that has been widely reported this morning. It would not be rocket science, then, to make this exploit work on an HTC device (we're hearing this is unpatched on all HTC phones).
Is this still a bad exploit? Definitely. Especially if you're on a still-vulnerable Samsung device (as some GS3's may very well be in some regions). But Samsung has obviously been on the case for some time, quietly patching it up. We'll let you know if we learn anything else.