At the recently held ekoparty Security conference in Buenos Aires security researcher Ravi Borgaonkar has demonstrated a simple attack that could lead to a remote wiping of some Android-based Samsung smartphones.
The reset to the factory settings and complete wipe of the contents is achieved via a simple USSD (Unstructured Supplementary Service Data) code delivered to the device via a specially crafted webpage or QR code, pushed by NFC, or even via a remotely triggered call to the specially crafted webpage via WAP push messages.
Borgaonkar demonstrated the attack on the Galaxy S3 device, but according to Slashgear, other devices running Samsung’s customized version of Android are also affected.
Reports that Galaxy S2, Galaxy Beam, S Advance, and Galaxy Ace are also vulnerable have been popping up, although it also depends where and by whom the devices are sold.
For example, H-Online reports that European Samsung Galaxy S3 running Android 4.0.4 will not automatically run the code from the booby-trapped webpage, but that Galaxy S2 running on Android 2.3.6 or 4.0.3 will.
The problem seems to arise with the presence of TouchWiz user interface, which instead of screening the code first runs it automatically.
To protect themselves from possible attacks until Samsung pushes our a patch, users are advised to be careful which links they follow, and to switch off the automatic site loading in their QR and NFC readers.