1. Download our Official Android App: Forums for Android!

Malicious USSD code

Discussion in 'Off Topic' started by strider70, Sep 26, 2012.

  1. strider70

    strider70 Well-Known Member
    Thread Starter
    Rank:
    None
    Points:
    33
    Posts:
    99
    Joined:
    Feb 25, 2011

    Feb 25, 2011
    99
    71
    33

    Advertisement

    ocnbrze, Granite1 and 9to5cynic like this.
  2. Speed Daemon

    Speed Daemon Android Expert
    Rank:
    None
    Points:
    213
    Posts:
    2,033
    Joined:
    Jul 12, 2012

    Jul 12, 2012
    2,033
    557
    213
    Look on the bright side, this is ideal for spies and other people who need to brick their phones when the goons are knocking down their door. ;)
     
  3. novox77

    novox77 Leeeroy Jennnkinnns!
    Rank:
     #74
    Points:
    413
    Posts:
    3,965
    Joined:
    Jul 7, 2010

    Jul 7, 2010
    3,965
    3,257
    413
    Not sure how well known it is at this point, but this hack affects more than just Sammy phones. Moto on Verizon is vulnerable, as is HTC on AT&T.

    At issue here is if the phone AND carrier support a special code that is input by the Dialer app.

    For example, on most (if not all) phones, you can enter ##3282# into the dialer, and it will take you to the phone's EPST menu. Some codes are standard; others are specific to the phone and/or carrier. In this case, the code to wipe your phone is launched from a browser with code like this:

    <frameset><frame src="tel:[wipecode]" /></frameset>

    This works a lot like mailto:"myusername@email.com". When a device sees mailto: it will open the default email client. When a phone sees "tel:" it will launch the default dialer. And if your phone/carrier supports this code, it will start the data wipe.

    tel:[wipecode] can be placed into a QR code as a URL data type. Depending on the QR scanning software you use, it may or may not immediately process the URL. A security-aware QR code scanner should first show you the result of the scan, and then allow you to proceed via a user-interaction.

    It would also appear that browser choice makes a difference here. Opera does not support launching the dialer when it sees a tel: so even if the phone/carrier combo is vulnerable, you won't be damaged if you use Opera.

    But the real solution is to patch the phone's radio firmware so that the wipe code is disabled. Either that or have the firmware prompt for the phone's MSL number before wiping.
     
    strider70 and 9to5cynic like this.
  4. novox77

    novox77 Leeeroy Jennnkinnns!
    Rank:
     #74
    Points:
    413
    Posts:
    3,965
    Joined:
    Jul 7, 2010

    Jul 7, 2010
    3,965
    3,257
    413
    Here's a test to see if your phone is vulnerable:
    Andriod TEL URL Handling exploit demo by Ravishankar Borgaonkar

    This link is SAFE to click. It will NOT wipe your phone. But if the result of your clicking this link is that your phone shows you your MEID number, then your phone would be vulnerable to the REAL hack.

    If all you see is *#06# in your dialer, then you are safe. If you were to press CALL from there, you should get your carrier message saying the number you dialed is invalid.
     
    ocnbrze and 9to5cynic like this.
  5. cwhatever

    cwhatever Life Goes On
    Rank:
     #94
    Points:
    313
    Posts:
    3,044
    Joined:
    Mar 4, 2012

    Mar 4, 2012
    3,044
    849
    313
    Male
    Master Technician
    south central fla
    It's through the hidden menu is how its done. If you do the test above and you are vulnerable, freeze the hidden menu with something like titanium or another app, you cannot be hacked then. If you need to use it then you can unfreeze it, do what you gotta do, then refreeze it.
    I got this through the people in our device.
     
  6. 9to5cynic

    9to5cynic Android Expert
    Rank:
    None
    Points:
    633
    Posts:
    4,873
    Joined:
    Feb 20, 2011

    Feb 20, 2011
    4,873
    1,766
    633
    /home/
    Mine flashes that code real quick and then shows nothing. I'm thinking I'm in the clear. And I must say these mobile hacks are always some of the most interesting. ;-)
     
  7. DonB

    DonB ♡ Truth, Justice and the American Way !! ♡ ™
    Moderator
    Rank:
     #17
    Points:
    1,423
    Posts:
    19,382
    Joined:
    Nov 30, 2009

    Nov 30, 2009
    19,382
    8,111
    1,423
    Male
    18th Hole Of the Golf Course
    I saw Go To Hell on my phone when I clicked on the link, what is that all about, LOL :D


     
  8. zuben el genub

    zuben el genub Android Expert
    Rank:
     #60
    Points:
    443
    Posts:
    7,194
    Joined:
    Jan 24, 2011

    Jan 24, 2011
    7,194
    2,470
    443
    Saw this elsewhere. The post said that even Cyanogenmod was affected. The post suggested changing dialers or installing another dialler so you got asked which service.

    I have Viber, and everytime I try to call out, it asks which service.

    Article also mentioned something about NFC. They didn't mention Q codes. I have that disabled.

    Was the post right? Is this enough to avoid?

    Are real websites being hacked to use this or are the websites just set up to snag people like the ones that click on "free" anything?
     
    Hadron likes this.
  9. Hadron

    Hadron  
    VIP Member
    Rank:
     #8
    Points:
    2,218
    Posts:
    19,850
    Joined:
    Aug 9, 2010

    Aug 9, 2010
    19,850
    12,805
    2,218
    Spacecorp Test Pilot
    Dimension Jumping
    I can confirm that the test url above works on a HTC Desire with a bare-bones AOSP ROM and using Boat browser.

    One chap suggested installing an alternative dialer. You don't have to use it at all, but if you hit a malicious link it will pop up a box asking you which dialer you want to open the link with rather than entering the code. I can confirm that this work around works to block the test site.

    Edit: just spotted than Zuben has already posted this work-around!
     
  10. zuben el genub

    zuben el genub Android Expert
    Rank:
     #60
    Points:
    443
    Posts:
    7,194
    Joined:
    Jan 24, 2011

    Jan 24, 2011
    7,194
    2,470
    443
    You can just enable internet calling even if you don't have a SIP account.
     
  11. davagui2828

    davagui2828 Lurker
    Rank:
    None
    Points:
    25
    Posts:
    4
    Joined:
    Jan 6, 2013

    Jan 6, 2013
    4
    0
    25
    Here is a test page from ESET:
    Antivirus Software and Internet Security Solutions :: ESET

    Another test page:
    http://hugelaser.com/ac/ussd-test.php

    These are to verify if your phone is vulnerable to USSD code atacks triggered by SMS, QT code o malicious web link.
    I own a Samsung Galaxy SII or S2 and used those links and are not malicious, I found my phone was vulnerable and proceeded to install a free tool from ESET (I found this info on a magazine).

    If you are afected, try this ESET free tool:
    ESET Latinoam
     

Share This Page

Loading...