Security researchers found a flaw with Android OS that can lead to an unstoppable remote wipe of Samsung Galaxy S III phones. The wipe, or factory reset of the Galaxy S III, can be triggered by clicking a link that contains with it a line of malicious code, or even by scanning a doctored QR code, and users will have no warning.
Ravi Borgaonka, a mobile researcher at Technical University Berlin, detailed the vulnerability at the Ekoparty security conference in Buenos Aires. The hack makes use of USSD codes, a protocol normally used by phones to communicate with the wireless carriers. Basically, if a malicious USSD code is sent to a phone from a website, via a text message, or via a QR code or NFC, it will bring up the dialer and instantly trigger a factory reset of a Galaxy S III phone, wiping all your data. The research also showed that a different USSD code could be used to wipe your SIM card, while users will be able to see the wiping process taking place, but they won't be able to stop it.
So far, the Galaxy S III seems to be affected by the vulnerability, as well as other Android handsets that run Samsung's TouchWiz UI, such as the Galaxy S II, Beam, S Advance, Note and Ace. Telecom engineer Pau Olivia explained on Twitter that the Galaxy Nexus, also manufactured by Samsung, is not affected because it runs on stock Android and does not automatically dial the code, unlike Samsung's default setting, which dials the code without a prompt.
The USSD code vulnerability so far seems to be restricted to the stock browser on Samsung TouchWiz Android devices, so if you use Google Chrome as the default browser, you won't be affected, users of the XDA developers forum suggested. Alternatively, this can be avoided by switching off Samsung's Service Loading feature from the settings panel.
Samsung has not returned requests for comment.
Sign up for CIO Asia eNewsletters.