Last week, we reported how a vulnerability on some Samsung smartphones could wipe a users’ data in just one tap. There are now concerns that this flaw could be exploited on other Android devices, but thankfully both Lookout and ESET have released solutions to protect users.
The exploit discovered by security researcher Ravi Borgaonkar used a single line of code to trigger a USSD code to be automatically dialled by the smartphone. These dialled codes can execute commands – such as *#06#, which reveals a device’s IMEI number when inputted.
However, other USSD codes exist that can restore a phone’s factory settings, thus completely deleting all user data. It has been widely demonstrated that this vulnerability can be exploited on various Samsung smartphones, such as the Galaxy S II, Galaxy S III, Galaxy Beam and Galaxy Ace, but the fault may lie with the stock Android dialler application, meaning other devices could also be at risk.
Good looking out
According to Lookout, a smartphone security company, Google patched this security issue almost three months ago. However, the patch may not have been integrated into all Android devices by manufacturers. While some manufacturers and carriers have issued patches for various devices, Lookout has also updated its Lookout Mobile Security app to protect its users from dialler-based attacks.
The update, issued on Friday, launches Lookout Mobile Security if a dialler code is tapped by the user, either knowingly via a tel: code on a website or unknowingly via a malicious link. Tapping these links will prompt users to either launch the dialler application or to first scan the code with Lookout to ensure the number is safe.
If Lookout finds that the number will erase a user’s data or result in any action that might have unexpected consequences, the user will receive a warning. If no risk is detected by the app, the dialler application will continue dialling the number as selected.
Security software provider ESET has also released a free app to protect users from these attacks. ESET USSD Control lets users check potentially malicious numbers before they are dialled and the app will also block malicious websites abusing USSD codes.
Each time a malicious USSD code is found, the app blocks its execution. When prompted, users can also select ESET USSD Control as their default dialler, ensuring that all numbers will be scanned before dialling.
Lookout reports that they are unaware of any malicious dialler-based attacks in the wild, but the fact that this vulnerability exists and that it could potentially wipe a user’s data or execute other USSD commands means that precaution – and protection – is advisable.