Heads up if you own an Android smartphone: A nasty attack has surfaced that can erase all the data on your phone—contacts, photos, everything—with a line of code hiding in a website you visit or one delivered via text message, NFC tag or QR code.
It comes via a special URL with a “tel:” prefix. If you tap on such a link, it can, in some cases, send an Unstructured Supplementary Service Data (USSD) code to your phone and initiate a factory reset, just as if you had keyed the code yourself.
Normally, people tap these USSD codes into their phones to do things like display an International Mobile Equipment Identity (IMEI) number or to perform a factory reset. But a website that can communicate with your phone and initiate them without your involvement is a scary prospect, indeed.
While first it was thought the hack only worked on Samsung phones, it’s been verified to work on other types as well, including an HTC One X, a Motorola Defy and reportedly a Sony Xperia Active.
One way to find out if your phone is vulnerable is to load this website—http://dylanreeve.com/phone.php—into your phone’s web browser.
If doing so causes your phone's dialer app to display *#06#, rest assured. But if the dialer provides you with a 14- or 16-digit number—your IMEI number—there’s a chance your phone could be attacked.
Developers are already coming up with free apps that guard against this hack. One that works is Bitdefender USSD Wipe Stopper, which you can get free at the Google Play store.
And of course, always make sure to use a good mobile security app on your phone. I reached out to several companies that provide antivirus solutions for phones and asked if their products protect against this kind of attack. Only Lookout Mobile Security (free in Google Play) replied in the affirmative.
Kaspersky Mobile Security replied in the affirmative ($14.95 in Google Play ) [UPDATE: Kaspersky now says their mobile security app does not protect against this type of threat]. A spokesperson from McAfee said its products don’t currently protect against this type of hack. [UPDATE: McAfee now has a free app to protect against this type of vulnerability called McAfee Dialer Protection.] Norton was unable to provide an answer before this story went to post.