1. Download the #1 Android News App:   EarlyBird - News for Android
    Dismiss Notice

Malicious USSD code

Last Updated:

  1. strider70

    strider70 Well-Known Member

    ocnbrze, Granite1 and 9to5cynic like this.
  2. Speed Daemon

    Speed Daemon Disabled

    Look on the bright side, this is ideal for spies and other people who need to brick their phones when the goons are knocking down their door. ;)
  3. novox77

    novox77 Leeeroy Jennnkinnns! VIP Member

    Not sure how well known it is at this point, but this hack affects more than just Sammy phones. Moto on Verizon is vulnerable, as is HTC on AT&T.

    At issue here is if the phone AND carrier support a special code that is input by the Dialer app.

    For example, on most (if not all) phones, you can enter ##3282# into the dialer, and it will take you to the phone's EPST menu. Some codes are standard; others are specific to the phone and/or carrier. In this case, the code to wipe your phone is launched from a browser with code like this:

    <frameset><frame src="tel:[wipecode]" /></frameset>

    This works a lot like mailto:"myusername@email.com". When a device sees mailto: it will open the default email client. When a phone sees "tel:" it will launch the default dialer. And if your phone/carrier supports this code, it will start the data wipe.

    tel:[wipecode] can be placed into a QR code as a URL data type. Depending on the QR scanning software you use, it may or may not immediately process the URL. A security-aware QR code scanner should first show you the result of the scan, and then allow you to proceed via a user-interaction.

    It would also appear that browser choice makes a difference here. Opera does not support launching the dialer when it sees a tel: so even if the phone/carrier combo is vulnerable, you won't be damaged if you use Opera.

    But the real solution is to patch the phone's radio firmware so that the wipe code is disabled. Either that or have the firmware prompt for the phone's MSL number before wiping.
    strider70 and 9to5cynic like this.
  4. novox77

    novox77 Leeeroy Jennnkinnns! VIP Member

    Here's a test to see if your phone is vulnerable:
    Andriod TEL URL Handling exploit demo by Ravishankar Borgaonkar

    This link is SAFE to click. It will NOT wipe your phone. But if the result of your clicking this link is that your phone shows you your MEID number, then your phone would be vulnerable to the REAL hack.

    If all you see is *#06# in your dialer, then you are safe. If you were to press CALL from there, you should get your carrier message saying the number you dialed is invalid.
    ocnbrze and 9to5cynic like this.
  5. cwhatever

    cwhatever Life Goes On Guide

    It's through the hidden menu is how its done. If you do the test above and you are vulnerable, freeze the hidden menu with something like titanium or another app, you cannot be hacked then. If you need to use it then you can unfreeze it, do what you gotta do, then refreeze it.
    I got this through the people in our device.
  6. 9to5cynic

    9to5cynic Well-Known Member

    Mine flashes that code real quick and then shows nothing. I'm thinking I'm in the clear. And I must say these mobile hacks are always some of the most interesting. ;-)
  7. DonB

    DonB ♡ Spidey Sense !! ♡ ™ Moderator

    I saw Go To Hell on my phone when I clicked on the link, what is that all about, LOL :D

  8. zuben el genub

    zuben el genub Well-Known Member

    Saw this elsewhere. The post said that even Cyanogenmod was affected. The post suggested changing dialers or installing another dialler so you got asked which service.

    I have Viber, and everytime I try to call out, it asks which service.

    Article also mentioned something about NFC. They didn't mention Q codes. I have that disabled.

    Was the post right? Is this enough to avoid?

    Are real websites being hacked to use this or are the websites just set up to snag people like the ones that click on "free" anything?
    Hadron likes this.
  9. Hadron

    Hadron Well-Known Member Contributor

    I can confirm that the test url above works on a HTC Desire with a bare-bones AOSP ROM and using Boat browser.

    One chap suggested installing an alternative dialer. You don't have to use it at all, but if you hit a malicious link it will pop up a box asking you which dialer you want to open the link with rather than entering the code. I can confirm that this work around works to block the test site.

    Edit: just spotted than Zuben has already posted this work-around!
  10. zuben el genub

    zuben el genub Well-Known Member

    You can just enable internet calling even if you don't have a SIP account.
  11. davagui2828

    davagui2828 New Member

    Here is a test page from ESET:
    Antivirus Software and Internet Security Solutions :: ESET

    Another test page:

    These are to verify if your phone is vulnerable to USSD code atacks triggered by SMS, QT code o malicious web link.
    I own a Samsung Galaxy SII or S2 and used those links and are not malicious, I found my phone was vulnerable and proceeded to install a free tool from ESET (I found this info on a magazine).

    If you are afected, try this ESET free tool:
    ESET Latinoam

Share This Page