Android USSD Control Code Problem
I have posted this on my other blog, but it seems to be pretty important so I wanted to add this small voice to the existing warnings to Android users (of which I am one).
So, if you have an Android phone, you need to be aware of a recently-discovered exploit. Most smartphone brands appear to be affected, not just Samsung devices as initially reported. Simply put, baddies can embed USSD codes in links, QR Codes, web pages and so on that can seriously muck up your device, including wiping the SIM – unless you are running the very latest version of Android – and only around 1 or 2 percent are running 4.1.x.
USSD (Unstructured Supplementary Service Data) codes can be used to issue commands to Android devices, and on most versions of Android the commands are accepted without prompting you. Apple’s iPhone handles these codes differently and don’t appear to be affected by any of this.
What to do? Firstly, you can check if your Android device is indeed vulnerable by browsing to this site on your phone’s browser:
If the vulnerability is present, then here are some steps you can take:
1 – update to the latest version of Android – version 4.1.x This is not as easy as it sounds unless you have a device running a “pure” version of Android, such as a Nexus phone – most carriers only issue updates infequently.
2 – install and use a different browser from the default one, that will help in web page-based attacks (but not from QR codes or elsewhere)
3 – install one of several free Apps from the Google Play Store that can filter these commands for you. The one I am using is from G Data and is called “USSD Filter“.
This is a real-world problem, and the exploits are out there, so it’s something you definitely need to take care of in my opinion.