Is your Android phone prone to USSD attacks?

[IO.Hazard]

As you may have read, last year Samsung reported a vulnerability in some of its Galaxy phones (including the Galaxy SIII) which could allow a malicious website to wipe (yes, WIPE) your device without any confirmation from you by dialing specific web-based USSD codes without the user knowing about it. Not too late, the Korean company published a patch to fix it, but new details around the web indicate that the problem goes beyond the Samsung product line and may affect models from other companies.

Want to check is your phone is protected? You can do it thanks to Dylan Reeve and a special page he prepared. Using your phone's browser, go to this site:

http://dylanreeve.com/phone.php

The Site will launch a web-based (though inoffensive) USSD code [*#06#]. If your phone shows your IMEI number automatically, it means it's not protected against USSD attacks. However, if your see a system prompt asking for your confirmation before executing the USSD code, you're in luck and your phone is protected.

If you have Avast! or Sophos Mobile Security installed in your Phone, chances are you are protected against USSD attacks since Avast! includes a "Number Validator" and Sophos uses a "Check before Dialing" that will ask for your confirmation before dialing USSD codes executed through the web.

If you have another Security Suite installed in your phone, you can still protect it against web-based USSD attacks without switching to Avast! or Sophos, just install the NoUSSD app from the Play Store:

https://play.google.com/store/apps/d...android.noussd

It is a small app (27k), requires no special permissions and it is, of course, completely free.

[Anupam]

Thanks for this information. My phone is susceptible to this attack. It's good that I have Avast installed, which blocked the attempt.

[kendall.a]

My Droid X2 Global popped up with a message when I went to the page. It asked me if I wanted to "complete action using: Dialer, or "Scan with Lookout before dialing".

I assume that means that I am protected?

[IO.Hazard]

@Anupam:
You are welcome!

Quote:

Originally Posted by kendall.a

My Droid X2 Global popped up with a message when I went to the page. It asked me if I wanted to "complete action using: Dialer, or "Scan with Lookout before dialing".

I assume that means that I am protected?

Yes. If your phone showed you a prompt before executing the USSD code it means your phone is protected. Is good to know that Lookout has included that protection too.

Whichever the case, if you are offered to "scan the number" (or any given name your security app assigns to that action) just do so and set it as the default action. That should keep you protected at all times.

[J_L]

Thanks for sharing this, I got "Complete action using":
Fongo
Phone
Scan before dialing
TrustGo Dialer Protection

[IO.Hazard]

Quote:

Originally Posted by J_L

Thanks for sharing this, I got "Complete action using":
Fongo
Phone
Scan before dialing
TrustGo Dialer Protection

Well I have to make some things clear:

As you may already know, Android will ask about the app you want to use whenever you have two or more apps installed that can do the same thing (dialing apps, video players, music players, etc.). If you have more than one app for calling, Android will show the "Complete action using..." as you say but it doesn't mean that you have USSD protection. (The funny thing is that having a second calling app has the "collateral" benefit of preventing automatic USSD dialing ).

In your particular case, you do have protection against web-based USSD dialing which is provided by "TrustGo Dialer Protection". So, the next time you do the test just select that option and check the "Set as default" option.

[Anupam]

Quote:

Originally Posted by kendall.a

My Droid X2 Global popped up with a message when I went to the page. It asked me if I wanted to "complete action using: Dialer, or "Scan with Lookout before dialing".

I assume that means that I am protected?

No, it does not.

IO.Hazard first gave the wrong answer, but corrected himself in the post above.

I got the above pop-up message for my phone too, except it was Avast instead of Lookout.

The pop-up message simply shows options to select one, to complete the action with. It's like the "Open with" in Windows, where Windows wants to know which program to open the file with. Same here. So, the pop-up message does not mean that the phone is safe.

To test, I chose the option of dialer, on which the IMEI number was shown. So, I think my phone was susceptible. My thinking is that if on selecting the dialer, another pop-up message for confirmation is shown, then the phone is safe, otherwise not. So, based on that, I said my phone is susceptible. When I chose Avast as the option, then it stopped the execution of the code.

[IO.Hazard]

Quote:

Originally Posted by Anupam

No, it does not.

IO.Hazard first gave the wrong answer, but corrected himself in the post above.

I got the above pop-up message for my phone too, except it was Avast instead of Lookout.

The pop-up message simply shows options to select one, to complete the action with. It's like the "Open with" in Windows, where Windows wants to know which program to open the file with. Same here. So, the pop-up message does not mean that the phone is safe.

I dropped the ball back there and I'm sorry for that.

What I really meant to say to kendall.a was that he had an option to protect his phone against this vulnerability (provided by Lookout). I shouldn't have said "Yes, your phone is protected" because I had no idea about his actual results with the web-based USSD test.

In order to polish this post and avoid further confusion, I've written this tiny guide based on my own experience.

This is how I performed the web-based USSD vulnerability test:

• 1. I went to the web page mentioned in the first post.
  
• 2. When prompted, I ignored the other dialing apps and selected the stock dialer.

After this, two things can happen:

• a. If you see your stock dialer loaded up but showing nothing (meaning you never saw your phone's IMEI) it means you're safe and your phone is not vulnerable to USSD attacks by default . I know this because that's what happened to me (according to my phone's manufacturer, my phone doesn't have the USSD issue).
  
  
• b. However, if your phone shows its IMEI number right after selecting the stock dialer, it means your phone is vulnerable and you should take immediate action . (Update the OS to the latest version provided by the manufacturer, install a Security Suite with protection against USSD or install some of the anti-USSD tools available in the play store).

If you already have a dialing protection installed (like the ones provided by avast!, Lookout, Trustgo, Sophos and others), setting it as the default app to perform dialing would be a good idea.

I sincerely hope this helps you in a better way than before.

[Anupam]

No need to say sorry IO.Hazard. As I said before, you had already corrected yourself in the second post. But, you explained things even better this time.

And the "b" scenario happened with me, that's why, I said my phone is susceptible. Unfortunately, my phone won't be having any further OS updates. Anyways, I have Avast for protection.

[Juxxize]

cheers for the advice, i checked and i'm good