A vulnerability in the Android dialler application that leaves some devices open to a remote wipe exploit may affect South Africans.
Initial reports suggested that the vulnerability was linked to Samsung’s TouchWiz customisation of Android, but it has since been revealed that the problem seems to stem from the default Android dialler.
The exploit revolves around older versions of Android automatically dialling a USSD code when fed through its “intent” system.
One way to do this is through a simple bit of HTML code that the browser on the device passes through to the phone’s dialler.
The vulnerability appears to have been patched recently, and newer versions of Android are reportedly not affected.
Samsung have not responded to our requests for comment on the issue, but have told international media that they have patched the problem in the Samsung Galaxy S3.
However, The Verge reported that they found an AT&T variant of the device that was vulnerable to the exploit when they tested it.
In our own testing of the security hole, we found that the Samsung-built Google Galaxy Nexus running the latest version of Android, HTC One X, HTC Desire, and HTC Sensation were not vulnerable to the exploit.
The diallers of these devices do not seem to automatically dial USSD codes that start on only asterisks (*), such as *111#. Instead the dialler is launched with the number shown and the user must push the “call” button for it to run.
Codes that end on “#” are still automatically processed if the first symbol dialled is not an asterisk.
However, the code of this form listed as HTC’s “secret” factory reset sequence does not do anything on the devices tested.
Asked for comment on the matter, HTC provided the following statement:
We are aware of the potential USSD vulnerability that’s been reported and had already taken measures to address this issue on our devices prior to the public disclosure of this vulnerability. While our devices do not support a USSD code to factory reset option, we always recommend that customers avoid modifying or rooting their device in order to preserve the device security measures in place. Security is a critical part of an excellent device experience and continues to be a key priority for HTC.
What can you do?
Users whose devices are vulnerable to the exploit can install apps that will intercept the Android “tel:” intent to guard against hacks that make use of it.
The Register reported of an app called TelStop by security researcher Collin Mulliner that publishes a handler for the “tel” protocol.
Another easy solution for those worried about the vulnerability is to install a third party dialler.
By default, this will cause the operating system to launch a dialog prompting the user which dialler to use, allowing you to cancel the potentially harmful code from ever reaching either of the diallers installed on your device.