View Single Post
Old 16. Jan 2013, 07:58 PM   #1 (permalink)
IO.Hazard
Senior Member
 
Join Date: Aug 2012
Posts: 192
Question Is your Android phone prone to USSD attacks?

As you may have read, last year Samsung reported a vulnerability in some of its Galaxy phones (including the Galaxy SIII) which could allow a malicious website to wipe (yes, WIPE) your device without any confirmation from you by dialing specific web-based USSD codes without the user knowing about it. Not too late, the Korean company published a patch to fix it, but new details around the web indicate that the problem goes beyond the Samsung product line and may affect models from other companies.

Want to check is your phone is protected? You can do it thanks to Dylan Reeve and a special page he prepared. Using your phone's browser, go to this site:

http://dylanreeve.com/phone.php

The Site will launch a web-based (though inoffensive) USSD code [*#06#]. If your phone shows your IMEI number automatically, it means it's not protected against USSD attacks. However, if your see a system prompt asking for your confirmation before executing the USSD code, you're in luck and your phone is protected.

If you have Avast! or Sophos Mobile Security installed in your Phone, chances are you are protected against USSD attacks since Avast! includes a "Number Validator" and Sophos uses a "Check before Dialing" that will ask for your confirmation before dialing USSD codes executed through the web.

If you have another Security Suite installed in your phone, you can still protect it against web-based USSD attacks without switching to Avast! or Sophos, just install the NoUSSD app from the Play Store:

https://play.google.com/store/apps/d...android.noussd

It is a small app (27k), requires no special permissions and it is, of course, completely free.
IO.Hazard is offline   Reply With Quote