Heads up if you own an Android smartphone: A nasty attack has surfaced that can erase all the data on your phone—contacts, photos, everything—with a line of code hiding in a website you visit or one delivered via text message, NFC tag or QR code.
It comes via a special URL with a “tel:” prefix. If you tap on such a link, it can, in some cases, send an Unstructured Supplementary Service Data (USSD) code to your phone and initiate a factory reset, just as if you had keyed the code yourself.
Normally, people tap these USSD codes into their phones to do things like display an International Mobile Equipment Identity (IMEI) number or to perform a factory reset. But a website that can communicate with your phone and initiate them without your involvement is a scary prospect, indeed.
While first it was thought the hack only worked on Samsung phones, it’s been verified to work on other types as well, including an HTC One X, a Motorola Defy and reportedly a Sony Xperia Active.
One way to find out if your phone is vulnerable is to load this website—http://dylanreeve.com/phone.php—into your phone’s web browser.
If doing so causes your phone's dialer app to display *#06#, rest assured. But if the dialer provides you with a 14- or 16-digit number—your IMEI number—there’s a chance your phone could be attacked.
Developers are already coming up with free apps that guard against this hack. One that works is Bitdefender USSD Wipe Stopper, which you can get free at the Google Play store.
And of course, always make sure to use a good mobile security app on your phone. I reached out to several companies that provide antivirus solutions for phones and asked if their products protect against this kind of attack. Only Lookout Mobile Security (free in Google Play) replied in the affirmative. Kaspersky Mobile Security replied in the affirmative ($14.95 in Google Play) [UPDATE: Kaspersky now says their mobile security app does not protect against this type of threat].
A spokesperson from McAfee said its products don’t currently protect against this type of hack. [UPDATE: McAfee now has a free app to protect against this type of vulnerability called McAfee Dialer Protection.] Norton was unable to provide an answer before this story went to post.
From Karen DeYoung on October 01, 2012 :: 12:43 pm
I did the test and got the ok response. But the Techlicious site says my phone did not pass. Also now when I try to get to Apps on my phone, I get the message that there is no connection with the server. What do I do now?
Reply
From Suzanne Kantra on October 01, 2012 :: 1:18 pm
If the test here http://dylanreeve.com/phone.php says you passed, what do you mean that Techlicious says it didn’t pass? We don’t do any testing on Techlicious, just direct you to the test link.
For your other issue, that sounds like an unrelated connection issue. Make sure you have your cellular data and/or WiFi turned on. And try turning your phone off and on again to reset your connection to the network.
Reply
From Dan Yedinak on October 01, 2012 :: 3:45 pm
Are you talking about the image in the post? Specifically, the image found here : https://www.techlicious.com/images/phones/Bitdefender-hack-protection.gif )
Reply
From Karen DeYoung on October 01, 2012 :: 7:52 pm
yes
Reply
From Dan Yedinak on October 02, 2012 :: 3:38 pm
Aha! That explains it, then.
The picture is just an example of what you could see. It’s not an actual test, so it is nothing to worry about. Consider yourself safe.
Hopefully your separate Apps issue has also found a solution.
Prost!