How to check if your Android phone is vulnerable to the USSD security flaw
- — 26 September, 2012 15:20
The Samsung Galaxy S III is one Android phone that is susceptible to the USSD security flaw.
A security flaw has been discovered on various Android smartphones that allows a USSD code to perform a factory reset without any confirmation prompt. Is your Android phone at risk? Here's how to find out.
The USSD flaw was highlighted overnight at a Security Conference in Buenos Aires, Argentina by Ravi Borganokar, a researcher in the telecommunications department at the Technical University of Berlin. It was first said to occur only on various Samsung smartphones running the TouchWIZ UI overlay, but it has since been discovered that the problem can affect various other Android phones, too.
The USSD codes themselves aren't a problem, but on some Android phones these can be executed without a confirmation prompt. Some of these codes, typed into the phones keypad, are harmless (such as the one used to display a phone's IMEI number) but other codes can factory reset the phone. USSD codes typically start with an asterisk (*) followed by numbers and almost always end with a hash (#).
On Android phones that don't require a confirmation prompt, a factory reset USSD code can be dialled automatically by the phone. While it's almost impossible to dial the code into the dialler accidentally, this code could be embedded into a URL link, a QR code, or an SMS by a hacker. This would mean you phone would be factory reset as soon as you opened the malicious link.
To check if your Android phone is vulnerable, follow these steps:
1. Visit this link through your phone's Web browser. Don't worry, it's a test page so it's not going to reset your phone!
2. If your phone's dialler pops up and shows a number, your phone isn't affected and there's no need to worry. This is shown below on a Sony Xperia go:
However, if your phones dialler pops up and immediately displays a pop up menu with your IMEI number, your phone is vulnerable to this security flaw. This is displayed below on a Samsung Galaxy S III:
To fix this security flaw until your carrier or manufacturer issues a patch for the problem, you can download an app called TelStop. You can find it in the Google Play Store here.
1. Install TelStop from the Google Play Store. You should see this screen when you open it.
2. Close the app and now visit this link again through your phone's Web browser. You should now see a prompt that asks if you'd like to complete this action using your stock dialler or TelStop, as shown below:
3. To see the link, select TelStop. You will then receive a warning that this is likely a malicious code, as shown below:
From now on, if you click a link on your phone or scan a QR code and you see the above screen, it is likely to be hidden code that could wipe your phone.
Comments
Gnowlak
1
Yes, my phone is affected. it's HTC Sensation XE running Ice Cream Sandwich.
K9
2
Mine is also affected. Samsung galaxy S II
Steven
3
Virgin Mobile Optimus Elite affected!
Xerab
4
Running Android 4.1.1. (Jelly Bean) stock on an international Galaxy Nexus. It displays the IMEI.
nic de vera
5
Motorola Fire XT531 on Android 2.3.5 affected.
william
6
my phone is the HTC Senssation 4g runiing ice cream sandwich after i downloded the telstop app i did everything the way it was suppose to be done but the phones imei still comes up what should i do now
Dev
7
My Vodafone Samsung Galaxy Nexus is affected.
Tan BC
8
Yes. HTC Sensation running on ICS.
I'm scared
9
galaxy ace, 2.3.3 affected
Matttttttt
10
My phone is NOT affected.
Samsung Galaxy S Plus running CM9 by Ivendor (ICS 4.0.4).
Alan Koshy
11
Ma phone safe!! Yeah!!
Galaxy SIII... International version (Android v 4.0.4) ICS..
Ross Catanzariti
12
Wow, seems this problem is really widespread.
Maurice
13
Htc Wildfire S on 2.3.5 is affected :(
Fat Bob
14
Galaxy S (GT-I9000) using Firmware 2.3.6 is not vulnerable.
thomas
15
htc one x on vodafone australia is affected
Gentry
16
Cm9 on HP touch pad... I think it's safe. It doesn't show an IMEI just asks if I want to add #06# to my contact list... if the device does not have cellular, is there any risk? No dialer application, no way to dial the reset code right?
WillyK3
17
HTC Thunderbolt running gingerbread is not at risk
WillyK3
18
HTC Rezound running ICS is not affected.
Ross Catanzariti
19
Hi Gentry,
I don't believe USSD codes can be dialled without some form of data connection i.e cellular or Wi-Fi.
Deano
20
Thanks for that, hope they learn
The dark lord
21
HTC One X on AT&T is affected. Let's see how long it takes AT&T to patch it...
mark
22
Is this only a problem in the stock Android Web browser?
idris
23
if the dialer pop up and does not show anything,is it affected?
Liz
24
HTC One xl Telstra affected
Liz
25
Dialler popped up but so did IMEI no. HTC one xl Telstra, affected?
Carl
26
thank you, my galaxy ace was unprotected.
Peter
27
Galaxy Ace, 2.3.3
Stock browser - instant dial, vulnerable
Opera Mobile - stops script, safe
Opera Mini - instant dial, vulnerable
Tatmummy
28
Both My Samsung Galaxy Y and my Galaxy tab were vulnerable. Now installed Telstop and Dialer One
Dipta
29
My Live with Walkman running gingerbread is also affected.it pops up the dialer showing the imei code.
cistamlaka
30
My dads gnote clone n8000 shows imei when I click the link.So can I fix it?
Malte
31
Vulnerable on a Sony Ericsson Xperia Pro.
Devin
32
LG Optimus One w/ Cyanogenmod 7.2 nightly affected by the USSD hack.
Gentry
33
HTC evo 4g (with cm9 based rem-ics from) - shows the IMEI. Using chrome... need to get me the patch
Mike Hunt
34
Samsung Strat..... NOT Affected
Kip
35
Samsung Galaxy Ace GT-S5830 Android 2.3.5 - vulnerable. Thank you!
Lokifish Marz
36
So far I've seen the bug on Moto Atrix and Photon running stock and CM7, OG Epic running CM9 and a couple other devices. This is much bigger than a handful of devices.
It's also a browser issue as well. The only major browser that seems (sorta) unaffected is Opera Mobile. It gives prompt "Loading of external frame source tel:*%2306%23 suppressed (click to view)"
alvin
37
htc desire s affected. i am a user in singapore, on m1 network.
Bri
38
Huawei G300 on Vodafone UK is Vulnerable!!!!!!!!!!!!
heli
39
HTC Desire HD + Blackout ICS Custon-Rom (4.0.4) affected
drnadeem
40
face sd card and internet not open and sim card identification problems at my set samsung galaxy y dues cell +923006848019
Arys64
41
My phone: Galaxy S2 T989 is affected. I'll see if it can be fixed my replacing the rom with CM or AOKP.
Alastair
42
Xperia ™ S running Aus Vodafone ICS 4.0.4 update, not affected
Alin Vlad
43
Hi there,
Just wanted to let you know that we (Bitdefender) already released a tool on the Play Store that protects against this vulnerability. Now, once you would tap on a exploiting link, Bitdefender will intercept the wipe command and ask you to decide what to do next. You may, if unsure, dismiss the USSD command.
You can download it from: http://bit.ly/BD_USSD_Wipe_Stopper
/Alin Vlad
Global Social Media Coordinator at Bitdefender
ddc
44
Galaxy SII international version with ICS is affected, however Lookout Security scanner can help to block the action
jrg
45
HTC MyTouch 4G slide with stock OS (android 2.3.4) affected.
Good job those who have released fixes/patches.
Rob
46
My droid x running gingerbread is affected. I installed TelStop and receivied the proper messages from the test sites listed in the Play stor app description. Thanks PC World!!
Peegeta
47
Thank you sorted
ARIFULLA KHAN
48
Karbonn A9 was affected...
Anshuman
49
Phone is completely safe!
LGP500 running Jelly bean(rooted, obviously!)
Kaz
50
Avira USSD blocker from Play Store works a treat, telstop didn't do anything on my S2 GT-I9100T
Frans Muniz
51
LG Optimus 3D - P920H / Android 2.3.5
Android Default Browser - runs the script and IS INFECTED - show IMEI (1) (2)
Maxthon Browser as default - don't run the script, so its safe to use (3)
Observations:
(1) before default browser run the script the system ask to me an default application to run it, the options are: avast! Number Validator, SMS Messenger or Phone Dialer. In other words, the script only runs if you clicked on "Phone Dialer" option.
(2) avast! is installed but don't catch this flaw... big mess, big fault...
(3) my preferred browser is Maxthon and its set as complete default with an app called Default App Manager Lite, so this is my suggested workaround to avoid the problem
Maxthon at Google Play:
https://play.google.com/store/apps/details?id=com.mx.browser#?t=W251bGwsMSwxLDIxMiwiY29tLm14LmJyb3dzZXIiXQ..
Default App Manager Lite at Google Play:
https://play.google.com/store/apps/details?id=com.appiator.defaultappmanager#?t=W251bGwsMSwxLDIxMiwiY29tLmFwcGlhdG9yLmRlZmF1bHRhcHBtYW5hZ2VyIl0.
Hope help someone.
Cheers from Brazil!
Frans Muniz
52
Hi all!
I have made an question on avast! official forum and the solution is very simple!!
Install avast!, and when your system ask for "program" to execute the script, just select avast! Number Validador... dont forget to click the "default" or "always" for this kind operation...
Done and safe!!
Cheers
e430benz98
53
NOT effected Samsung Galaxy S3 AT&T with Jelly Bean 4.1.1
Dialer shows up but doesn't display IMEI
Frogzter
54
HTC Desire HD, running trick droid 4.0 affected
TomPy
55
Pantech Crossover on Gingerbread IS affected.
Since I have DialerOne installed I get a popup asking if I want to use that or the stock Dialer,
So I guess if I ever see that, I'll know to be wary.
swthrt628
56
Tmobile my touch4g (HTC) running Android 2.3.4 is not protected
Trevor Johnson
57
My Samsung Galaxy Ace GT-S5830i was affected. But after installing the manufacturer's update (from build .XXLE3 to .XXLK3) it doesn't exhibit the flaw (the number doesn't get entered into the keypad at all).