App protects Samsung smartphones against remote wiping
As publicised yesterday (Tuesday), some Android-based Samsung smartphones can be wiped remotely without the owner's consent via specially crafted web pages or SMS text messages. A new app has now been added to the Google Play Store that aims to protect users against this problem: NoTelURL is a free tool developed by Jörg Voss that ensures that USSD control codes can no longer be executed without any user interaction. The APK installation file can also be downloaded directly from the developer's own site.
The app tells the system that it is responsible for handling URLs which start with
TEL:, the designator for links to telephone numbers. Usually, only the default telephone dialler app accepts links of this type. With two programs offering to handle this link type, users who click on such links are given a choice. If they select NoTelURL, the app will intercept the process.
If this dialog opens by itself, an attacker could be trying to factory reset the phone, causing data loss. In tests by The H's associates at heise Security, the tool reliably prevented control codes from being injected via malicious web pages and QR codes. However, the selection dialog also appears when TEL: links are used legitimately, for example after clicking on a "call" link on a Google search results page. Those who frequently use such links will soon wish for an official Samsung patch.
Meanwhile, Samsung has told International Business Times that, in the Galaxy S III, the issue has already been fixed with an update. When heise Security tested this on Monday afternoon, they were indeed unable to exploit the hole. However, they were successful with a Samsung Galaxy S2 running Android 2.3.6. Online reports indicate that many other models such as the Galaxy Ace, the Beam and the S Advance are also affected. Samsung was unable to say whether or when these devices will be updated.
Apparently, the USSD code execution issue also affects smartphones from other manufacturers such as HTC, Motorola and Huawei, although there is no known code that will cause users' data to be wiped without user permission on these phones. However, attackers could potentially exploit the codes to trigger other control features such as call forwarding.
Users can find out whether their smartphones are affected via the USSD check feature on our browser check page. Navigate to the page on your smartphone. If a notification containing your phone's IMEI (serial) number is displayed, your device is potentially vulnerable.