Early reports cited Technical University Berlin researcher Ravi Borgaonkar's presentation at the Ekoparty security conference in Argentina. He demonstrated that a line of HTML code can dial USSD codes that trigger Samsung Galaxy SII and SIII smartphones to initiate full data wipes.
[ The number of malicious Android apps is increasing. Read more at Android Warning: 50% Of Devices Need Patching. ]
The exploit--which can be executed via an embedded link, a QR code, or an NFC connection--was initially blamed on Samsung's TouchWiz UI, which the manufacturer layers over the base Android OS. Testing by the blog Android Police revealed, however, that the flaw originates in older versions of Google's mobile OS, meaning that the vulnerability is not Samsung-specific. The site additionally found that the exploit is not new, and that recent patches should effectively disable the threat.
Samsung has since responded, with a tweet promising action and a statement to TechCrunch that confirmed Android Police's assertion that "the security issue … has already been resolved." The statement urged SIII users to update if they have not already done so, but the status of older devices, such as the SII, is not yet clear. Updates can be downloaded using Samsung's Over-The-Air service.
Borgaonkar offered a test site for users to assess whether their phones are vulnerable, and at least one other such tool has appeared online. In addition to the patches, suggested workarounds have included turning off the phone's Service Loading feature, uninstalling barcode scanners, disabling NFC connectivity, and using a third-party dialer app.
Chris Morales, 451 Research's senior security analyst for enterprise security practice, said in an interview that it is "very important" to understand that "the real problem is what permissions Android allows," pointing out that developer APIs don't adequately block such vulnerabilities from surfacing. Nonetheless, Morales said this particular exploit is a relatively minor threat, even to those with unpatched devices.
"Wiping a phone is not as bad as losing data," he said, since the factory reset is only a true risk to users who don't back up their content. He likened the exploit to a denial-of-service attack: "It's annoying and no one likes it, [but it] scares me less than when [attackers] get root access."
Alexandru Catalin Cosoi, chief security research for Bitdefender, said in an interview that the exploit's future will probably involve pranks, if anything, rather than legitimately sinister schemes. Calling the vulnerability a "proof of concept," he stated that once such flaws become public, "they aren't actually implemented by malware writers because everyone expects them."
"Most of the vulnerabilities that get exploited are ones that aren't public yet," he asserted, adding, "[This vulnerability] works in a lab but should be fixed on most devices."
Mobile employees' data and apps need protecting. Here are 10 ways to get the job done. Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: Mobile technology is forcing businesses to rethink the fundamentals of how their networks work. (Free registration required.)