Your
Android device may be vulnerable to the malicious USSD codes attack, which can
initiate a wipe of data on your phone and SIM card (mainly Samsung phone are
vulnerable to memory wipe because they rely on USSD code to wipe the memory
without user input ). This vulnerability potentially affects any Android device
running anything below Android 4.1.x (Jelly Bean).
this
exploit discovered by Ravishankar Borgaonkar who notified the “Android Security
team in the third week of June, 2012, no press release or official notification
from Google was published and you have to rely on your network provider to
update you phone through OTA.
If you
are not lucky enough to have your network operator backing you on this you can
follow below simple steps but first lets me first explain explot nature.
What
is USSD
Unstructured
Supplementary Service Data (USSD) is A GSM communication technology used to
send messages between a mobile phone and an application server in the network.
We are using it all day either for Opting in operator services to check balance
it usually be in form *XXX*XXX#.
How
this attack work
The exploit use the URI (Uniform Resource Identifier)
scheme "tel" used to pass identify numbers in web page and
standardized by RFC rfc3966, although the schema
was designed to pass legitimate telephone numbers but it could be used to pass
USSD code. So the attacker will change the "Dial strings" to have the
code be sent to your phone dialer, based on this it's not just related to web
browser but could also be initiated by scanned code, NFC or any other input
method.
Below is
a crafted link to test if you are vulnerable to this attack, if you click below
and just get your IMEI (a 14 to 16 alphanumeric code) shows up, your
device is vulnerable. Otherwise, you will only see *#06# on your
dialer screen. CLICK HERE TO TEST
if you are effected by this you can download the Macfee from HERE