# Some Android phones possible to be wiped by a link



## air2004 (Sep 25, 2012)

A full list of phones is presently being generated but it appears as though most things with Galaxy in the name need to be careful. The exploit itself appears to be quite simple and the result of a mismatch between different security systems (web browser being able to interact with the far reaching USSD codes system) rather than a more elaborate hack although it is still just as potent to that capable of being hit by it.
It is still very early days so there will be more information coming out over the coming hours and days.

Staff edit-
Suffice it to say any sharing of potentially damaging urls will be dealt with severely. If you are curious the source below links to a test page that will see your IMEI number displayed if you are vulnerable, you can visit the test site at http://dylanreeve.com/phone.php


techcrunch.com source


----------



## emigre (Sep 25, 2012)

What an original title.


----------



## Zetta_x (Sep 25, 2012)

Would you mind explaining a bit?


----------



## Fear Zoa (Sep 25, 2012)

Sucks for samsung touchwiz users.
Thread title shouldn't be a link and if your going to post news you actually have to summarize the article and say somethight about it.


----------



## Hop2089 (Sep 25, 2012)

That needs to be fixed soon and although I read the article explain the link induced wipe issue in simple detail.


----------



## chris888222 (Sep 25, 2012)

He is talking about this:

http://m.techcrunch.com/2012/09/25/got-touchwiz-some-samsung-smartphones-can-be-totally-wiped-by-clicking-a-link/?icid=tc_home_art&



> Here’s the exploit in a nutshell: a simple line of HTML (which we won’t be reproducing for obvious reasons) goads a vulnerable device into dialing a specific USSD code that triggers a full wipe/reset. According to SlashGear and The Next Web, vulnerable devices include the popular Galaxy S II and S III series, as well as the Galaxy S Advance, Galaxy Beam, and Galaxy Ace.


----------



## SifJar (Sep 25, 2012)

Fairly poor OP. Anyway, this thread is about a recently publicised "exploit" in Samsung phones using the TouchWiz interface. There is a flaw in the browser of such devices which means that a malicious individual can easily craft a website that will dial any USSD code automatically (these are special codes you enter into your phone, usually followed by a #; one example is *#06# which will display your phone's IMEI code). The code in question here is a factory reset code, which will completely wipe your device.

It is also ridiculously easy to implement in a website. Including the following anywhere in the body of an HTML document will do the trick:

```

```
Yes, it's really that easy to completely wipe a Samsung phone. (Also note that this information is easily discoverable online; I happened across it in mere seconds when researching this.)

Anyone with a Samsung Android phone should follow this link (which is completely safe) to check if their phone is vulnerable: http://dylanreeve.com/phone.php If your phone displays the IMEI, it's vulnerable to this "exploit". If it doesn't, you are safe.

Details on prevention are here: http://dylanreeve.po...ote-ussd-attack (basically, install an unofficial dialer app such as Dialer One, but there are more details on that post).


----------



## Just Another Gamer (Sep 25, 2012)

Interesting, oddly it doesn't affect me that much since I can't access the internet on my phone without access to a free WiFi hotspot.


----------



## FAST6191 (Sep 25, 2012)

I tweaked the opening post and title a bit although there is more to read on the source and eleswhere. An interesting hack, I had wondered if skype's browser phone number autoparser might have had something similar to this (before I nuked it for being annoying) as a potential hack and one I might not have thought to combine the two technologies to produce something like this.


----------



## air2004 (Sep 25, 2012)

Sorry for the fucked up post , was try to post from my phone and I messed up


----------



## SifJar (Sep 25, 2012)

I just tested it on my phone (an HTC Sense device using the Dolphin browser) and it is also vulnerable. *This problem is not exclusive to Samsung phones.* I advise everyone tries the http://dylanreeve.com/phone.php test website and check if your IMEI is displayed, regardless of your phone. If your IMEI is displayed, installer Dialer One from the Play Store immediately (it's free). Even if you don't want to use it, having a second dialer installed will cause a prompt to appear when your phone tries to run a USSD code, asking which dialer to use. Either hit "back" at this point if you didn't click a link to dial a number (in which case it's probably malicious) or else set Dialer One to be the default (this will mean that in future, Dialer One will open in these situations, and this app will display the number, but not dial it until you tell it to).


----------



## Hyro-Sama (Sep 25, 2012)

My phone is vulnerable. I have a Samsung Galaxy SII. Downloading the Dialer One app as I type this.


----------



## Deleted-236924 (Sep 25, 2012)

Define "displays your IMEI"?

When I follow the link, it opens the dialler on *#06#
Then nothing else.

Was it supposed to show my IMEI number in that white box in the page?

In which case I seem to be safe.


----------



## Jamstruth (Sep 25, 2012)

Your phone is safe.
An unsafe phone would have automatically dialled that *#06# which is a code to display the IMEI on your phone. At least for most Samsung ones. Didn't work on my Galaxy Nexus when I dialled it.


----------



## lokomelo (Sep 25, 2012)

Someone please explain (in a way that even a dumb like me can understand) why it is dangerous for the user?


----------



## SifJar (Sep 25, 2012)

Pingouin7 said:


> Define "displays your IMEI"?
> 
> When I follow the link, it opens the dialler on *#06#
> Then nothing else.
> ...


A popup would appear with a longish number in it. What you described means your phone is safe. (If you're curious as to the "vulnerable" result, manually dial *#06# into your phone's dialer; this is perfectly safe and will display the popup, so you can see what a "positive" result looks like) EDIT: For reference on my phone it looks like this:








lokomelo said:


> Someone please explain (in a way that even a dumb like me can understand) why it is dangerous for the user?


It allows someone to (extremely easily) create a website that will completely wipe your phone. Obviously they have to get you to visit the site, but once they do that, they can wipe everything.


----------



## Minox (Sep 25, 2012)

So it seems I may have made the right choice when I opted not to go for a Samsung phone with Touchwiz.

I still wonder why a website can automatically insert a phone number into the phone number field without any user interaction whatsoever though.


----------



## lokomelo (Sep 25, 2012)

SifJar said:


> lokomelo said:
> 
> 
> > Someone please explain (in a way that even a dumb like me can understand) why it is dangerous for the user?
> ...



One more dumb question. It is easy to make an app launch a website right?

So, it is easy to someone hack a paid app, for example, plants of zombies, and change a link from the popcap site to a hacked site. Then put this hacked app for free on internet. It is easy to do with this security problem?


----------



## hatredg0d (Sep 25, 2012)

ouch, its seems to be bigger then Samsung. I was able to modify the html a bit and host a page that can launch the hidden menus on my HTC evo 3d without telling me it was going to dial a number. I can't confirm you can launch a feature of the menu's automatically though.

Here are the 3 secret htc menu codes i know about; *#*#4636#*#*  *#*#3424#*#*  *#*#8255#*#*


----------



## Deleted-236924 (Sep 25, 2012)

Maybe whether or not it works depends on the Android version?

Anyone who is vulnerable right now, what Android version are you on?


----------



## hatredg0d (Sep 25, 2012)

Pingouin7 said:


> Maybe whether or not it works depends on the Android version?
> 
> Anyone who is vulnerable right now, what Android version are you on?


4.0.3
Said to be patched in 4.0.4


----------



## SifJar (Sep 25, 2012)

Minox said:


> So it seems I may have made the right choice when I opted not to go for a Samsung phone with Touchwiz.
> 
> I still wonder why a website can automatically insert a phone number into the phone number field without any user interaction whatsoever though.


The problem arises (I believe) from the fact that certain USSD codes don't require you to press dial; they will run as soon as the last digit (generally a #) is entered (try it yourself; if you type *#06# into your dialer it should pop up with your IMEI without you pressing dial). So what "should" happen is that the number is entered, but not dialled. However with these codes, entering the last digit of the number DOES dial, and in Samsung's and HTC's respective dialler apps, they don't have anything preventing that from happening when the number is coming from a browser. The stock Android dialler does, I believe. _EDIT: turns out this was at a time an Android wide bug, but has been fixed in Android, the fix just hasn't filtered through to all manufacturer builds_. (As well as Samsung's in their latest ROMs; if you have a fully updated GSG3, you're probably safe)

The legitimate use is for sites of businesses or whatever so they can provide a link to phone them without you having to copy a number or whatever.


lokomelo said:


> One more dumb question. It is easy to make an app launch a website right?
> 
> So, it is easy to someone hack a paid app, for example, plants of zombies, and change a link from the popcap site to a hacked site. Then put this hacked app for free on internet. It is easy to do with this security problem?


Well yes, but they could just as easily do this directly from the hacked app without opening a browser. It'd require certain permissions, which would be displayed when the app is being installed, but I doubt most people read those too carefully. I'm not completely sure, but a special permission may also be required for opening a web page, although that would be less suspicious (e.g. could be for opening developer's website or something) than being able to make calls. If the device is rooted, there's even more that can be done (in fact, there's basically no limit; this is why it is particularly silly to install pirated apps if you're rooted), although it will have to ask you for root permissions (although the uploader could possibly pass that off as part of the crack, dunno if people would believe that or not though).


----------



## Flame (Sep 25, 2012)

Ouch.


I reckon that apple is the one who created this....


----------



## jalaneme (Sep 25, 2012)

Ouch, I really have to be careful what websites I go on with my mobile phone then, I have a samsung S2.


----------



## SifJar (Sep 25, 2012)

jalaneme said:


> Ouch, I really have to be careful what websites I go on with my mobile phone then, I have a samsung S2.


Don't just "be careful", take precautions; for the time being, a good workaround is to install Dialer One and set it as the default dialer for numbers from websites. In future, there may be an update from Samsung blocking the hole (it's already been done for the S3), or else the community will probably create a patch for the stock dialer app that you could install (or some other patch to prevent the hack, but maintain full functionality).

Of course, non-TouchWiz based custom ROMs should also be safe from the attack, so that's another option.


----------



## Zerousen (Sep 25, 2012)

Not just Samsung.

http://www.androidpolice.com/2012/09/25/new-exploit-could-force-factory-reset-on-many-samsung-phones-running-touchwiz/


----------



## jalaneme (Sep 25, 2012)

SifJar said:


> jalaneme said:
> 
> 
> > Ouch, I really have to be careful what websites I go on with my mobile phone then, I have a samsung S2.
> ...



how safe is this dialer one app though?


----------



## Joe88 (Sep 25, 2012)

looks to be only the stock browser affected
which is the same as using ie in many ways...


----------



## Deleted-236924 (Sep 25, 2012)

hatredg0d said:


> Pingouin7 said:
> 
> 
> > Maybe whether or not it works depends on the Android version?
> ...


Haha, I'm on 4.1.1, probably explains it.


----------



## jalaneme (Sep 25, 2012)

Joe88 said:


> looks to be only the stock browser affected
> which is the same as using ie in many ways...



So if you use dolphin browser you won't get effected by the exploit? btw I am on 4.0.3 ICS.


----------



## Joe88 (Sep 25, 2012)

no idea, I used chrome on my s3
the source says it takes advantage of a vulnerability in the stock browser


----------



## hatredg0d (Sep 25, 2012)

Joe88 said:


> looks to be only the stock browser affected
> which is the same as using ie in many ways...


Chrome is also affected. Opera Mobile locked the frame out requiring you to click on the code, but when clicked still gets launched without proper notification from android.


----------



## Foie (Sep 25, 2012)

Oh scary, I just went to that website on my custom rom'd ICS HTC Sensation through Dolhpin browser and it displayed my IMEI number... Gotta get on this.


----------



## Joe88 (Sep 25, 2012)

well its doesnt affect the s3 in any case
running stock 4.0.4 with chrome


----------



## Jamstruth (Sep 25, 2012)

Joe88 said:


> well its doesnt affect the s3 in any case
> running stock 4.0.4 with chrome


You'll notice people have said this only happens with the Stock Browser.

Edit: I noticed you have seen this. I was just confused since you weren't quoting. My bad.


----------



## Joe88 (Sep 25, 2012)

hatredg0d said chrome was affected, it's not though, just displays the web page
tested with stock browser and it opened the dialer, no imei displayed though
firefox also opens the dialer also but doesnt display the imei either


----------



## hatredg0d (Sep 25, 2012)

Joe88 said:


> hatredg0d said chrome was affected, it's not though
> tested with stock browser and it opened the dialer, no imei displayed though
> firefox also opens the dialer also but doesnt display the imei either


Samsung already released a statement saying it was fixed on phones running 4.0.4 so your phone is not at risk.


----------



## chartube12 (Sep 25, 2012)

yeah yeah. Very old hole found in android back when 4.0.1 was first released. Works with any browser capable of sending data to the dial-ler. But most temps members wouldn't know since they avoid egadget and gizmodo.


----------



## SifJar (Sep 25, 2012)

jalaneme said:


> how safe is this dialer one app though?


It is well established as a replacement dialer app, I'd say it's safe from the aspect of saving personal information and sending it to it's servers or whatever. If you mean in terms of being exploitable, it's not vulnerable to this same exploit.


Joe88 said:


> looks to be only the stock browser affected
> which is the same as using ie in many ways...


Nope. I use Dolphin and I was able to run a USSD code directly from the browser using the test page. I am convinced the flaw is in the dialer app and not the browser (although the browser may be partially at fault also, depending how it parses tel: links).



chartube12 said:


> yeah yeah. Very old hole found in android back when 4.0.1 was first released. Works with any browser capable of sending data to the dial-ler. But most temps members wouldn't know since they avoid egadget and gizmodo.


I follow both sites and read many articles on both and never heard of this before today. When it was first discovered, it was communicated to Samsung privately and not publicised. No one else seems to have heard about it prior to the announcement in the last day or two. For example, the thread about it on XDA (where there are many very knowledgeable people who would have known about it if it had be public knowledge for a long time) has no mention of it being already known about.


----------



## jalaneme (Sep 25, 2012)

SifJar said:


> Don't just "be careful", take precautions; for the time being, a good workaround is to install Dialer One and set it as the default dialer for numbers from websites.



I looked through all the settings and there is no such option can you explain what the hell you are talking about? and this app looks dam ugly too, when I go to my home screen and press the phone icon it still launches my default dialer app so this app really does nothing because you have to select the corresponding app to even use it :S


----------



## Jamstruth (Sep 25, 2012)

jalaneme said:


> SifJar said:
> 
> 
> > Don't just "be careful", take precautions; for the time being, a good workaround is to install Dialer One and set it as the default dialer for numbers from websites.
> ...


Umm... that's because that Phone Icon is a link directly to the Phone app that was already installed. If you were to go into contacts and try to call somebody it would ask which to use since no default is set.


----------



## jalaneme (Sep 25, 2012)

Jamstruth said:


> Umm... that's because that Phone Icon is a link directly to the Phone app that was already installed. If you were to go into contacts and try to call somebody it would ask which to use since no default is set.



nope, doesn't do that, it still uses the default app to make a call, the dialer one app doesn't even show up


----------



## [M]artin (Sep 25, 2012)

jalaneme said:


> Jamstruth said:
> 
> 
> > Umm... that's because that Phone Icon is a link directly to the Phone app that was already installed. If you were to go into contacts and try to call somebody it would ask which to use since no default is set.
> ...


You'll have to set Dialer One as the new default calling app. Poke around the settings of the Dialer One app, while in it, and see if there is a "Set as Default" option or something similar. If not, you might have to go into your Apps, locate "Phone" and clear the data (I believe). This will make the default phone forget that it has priority, and the next time you attempt to open a phone link (just google a pizza place near you and open its phone number on google maps), it should ask you if you want to open it with Phone or Dialer One (and Remember This Selection, setting Dialer One as the new default).

Also, the icon on your homescreen will still be linked to the default Phone app, no matter what. You should delete the shortcut and create a new one in its place, for Dialer One. You can usually do this by dragging the old Phone out to trash (or long pressing it and hitting delete), and then going into your Apps Drawer and dragging the Dialer One app into the new empty spot.

(OR some phones actually let you choose what app that icon will open by longpressing, choosing "edit" and browsing your list of apps for Dialer One... if you really like how the default Phone icon looks or something and want to keep the style but have it open Dialer One)


----------



## Guild McCommunist (Sep 25, 2012)

Tempting. My phone is an utter piece of shit and I'd hope anything that can break its spirit will allow me to get a new one that isn't shit.


----------



## [M]artin (Sep 25, 2012)

Also, I have a Samsung Vibrant (aka U.S. branded Galaxy S I, T-Mobile carrier) running AOKP's ICS rom, Milestone 6 update. Did the dummy IMEI test, default dialer opened straight up and displayed the IMEI, 3 times over. Oh *SHIT*.


----------



## jalaneme (Sep 25, 2012)

[M]artin said:


> jalaneme said:
> 
> 
> > Jamstruth said:
> ...



that did the trick, thanks, will keep this app temporarily on my phone till google update the firmware.


----------



## air2004 (Sep 26, 2012)

Shit , my phone is vunerable ....I'm using a photon with ginger bread 2.3.5


----------



## Kioku_Dreams (Sep 26, 2012)

Good thing I back up on a day to day basis. O.o


----------



## Bladexdsl (Sep 26, 2012)

I wonder if apple created this


----------



## Gahars (Sep 26, 2012)

Bladexdsl said:


> I wonder if apple created this



Have you seen their new maps app? No way they could pull something this good.


----------



## iFish (Sep 26, 2012)

Moral of the story: If a link looks shady you shouldn't click it.


----------



## air2004 (Sep 26, 2012)

iFish said:


> Moral of the story: If a link looks shady you shouldn't click it.


The link doesn't have to be shady to get you.


----------



## Pleng (Sep 26, 2012)

Anybody know any replacement diallers that are compatible with dual sim phones?


----------



## Just Another Gamer (Sep 26, 2012)

air2004 said:


> iFish said:
> 
> 
> > Moral of the story: If a link looks shady you shouldn't click it.
> ...


I thought the moral was its better to use your computer for the internet and phone for gaming and other crap.


----------



## iFish (Sep 26, 2012)

Just Another Gamer said:


> air2004 said:
> 
> 
> > iFish said:
> ...


Gaming on your phone? What no. That's terrible. Unless it's a casual game. But being cautious is always a good thing.


----------



## Just Another Gamer (Sep 26, 2012)

iFish said:


> Just Another Gamer said:
> 
> 
> > air2004 said:
> ...


I think it depends what games you have but won't people just visit sites they normally go on their computer anyway I mean I don't check out anything new on my phone.


----------



## Sterling (Sep 26, 2012)

Stock LG Viper is vulnerable too. Just a heads up.


----------



## notmeanymore (Sep 26, 2012)

Looks like my HTC Inspire is vulnerable. But that could just be the ROM I was using. Installed DialerOne and now I'm good to go. Not that it really mattered for me anyway. I only use Opera Mobile, and the exploit only worked on my phone from the default browser.


----------



## Zerosuit connor (Sep 26, 2012)

Can confirm that the Xperia Ion and Xperia Play both with ICS are vulnerable.


----------



## SifJar (Sep 26, 2012)

It should be mentioned that not all manufacturers include a USSD code to perform a factory wipe with no confirmation. Just because your phone will execute USSD codes via websites, doesn't necessarily mean they could be used maliciously. Samsung include a USSD code that performs a complete wipe, without asking for confirmation. So that is obviously a target for malicious individuals. Other manufacturers provide other USSD codes, and it's highly possible that for some manufacturers, the ability to run USSD codes can't actually be used maliciously.


----------



## Psyfira (Sep 26, 2012)

Just Another Gamer said:


> I think it depends what games you have but won't people just visit sites they normally go on their computer anyway I mean I don't check out anything new on my phone.


Nope, plenty of people use their phones to access the internet while out or on public transport. And not everyone has their computer turned on 24/7, I know a few people who don't even turn their computers on anymore and use the phone on wifi instead. Different people use their phones in different ways, and "going on the internet" is a pretty common one.

About the exploit, am I the only one bothered that this has been known about for some time and the only response has been "we fixed it in the new version"? According to Google's Play store statistics there are so many users still on Gingerbread and earlier OSs that surely this warrants a patch, or am I missing something here? (and yes, my HTC Wildfire S on 2.3.5 is affected)


----------



## Just Another Gamer (Sep 26, 2012)

Psyfira said:


> Just Another Gamer said:
> 
> 
> > I think it depends what games you have but won't people just visit sites they normally go on their computer anyway I mean I don't check out anything new on my phone.
> ...


I'm not saying people don't use it to access the internet at all since I do but I just visit the sites I normally go on when I'm at home anyway like GBATemp and dA. Otherwise I don't have that much of a social life to need to visit many websites.

I'm a little curious would this affect you if your using CM9? Since my SGW has been running CM9 for it since its release and it gets updated quite regularly.


----------



## EJames2100 (Sep 26, 2012)

Just been on http://dylanreeve.com/phone.php on my Sony Xperia S and it does open up my Phone book and show me my IMEI code.


----------



## SifJar (Sep 26, 2012)

Just Another Gamer said:


> I'm a little curious would this affect you if your using CM9? Since my SGW has been running CM9 for it since its release and it gets updated quite regularly.


No, it's based on AOSP and AOSP has had a fix for this for several months now. You should be safe. To be safe, click the link in the post above mine; if your IMEI is displayed, you're still vulnerable. Check for updates to your ROM and if none are available, install this new app as a temporary workaround: TelStop (this is probably a better solution than Dialer One, which I previously recommended, but either is completely fine).


----------



## Just Another Gamer (Sep 26, 2012)

SifJar said:


> Just Another Gamer said:
> 
> 
> > I'm a little curious would this affect you if your using CM9? Since my SGW has been running CM9 for it since its release and it gets updated quite regularly.
> ...


If it has been for several months then it should be fine, I'm just worried since the most recent update was one September 17 so I wasn't really sure if it could happen to me or not. It's not much of a concern since I backed up everything with TB already so I can restore it any time.


----------



## SifJar (Sep 26, 2012)

Just Another Gamer said:


> If it has been for several months then it should be fine, I'm just worried since the most recent update was one September 17 so I wasn't really sure if it could happen to me or not. It's not much of a concern since I backed up everything with TB already so I can restore it any time.


Did you read my post? Like I said, *click the link in the post above my last post* to check if your phone is vulnerable. Don't guess or assume. It takes literally about 1 second to check for sure.


----------



## Just Another Gamer (Sep 26, 2012)

SifJar said:


> Just Another Gamer said:
> 
> 
> > If it has been for several months then it should be fine, I'm just worried since the most recent update was one September 17 so I wasn't really sure if it could happen to me or not. It's not much of a concern since I backed up everything with TB already so I can restore it any time.
> ...


Sorry I did check and its good. Got no problems.


----------



## [M]artin (Sep 26, 2012)

I think the real problem is that potentially any link could be a harmful link, its really hard to be sure when browsing on your phone. That is, I could post a link right now that reads "Kirby Epic Yarn Review, let me know what you guys think in the comment section" but it will take you to puppiesdoingbackflips.gov. Most people click on links at sites they visit commonly with question or a second thought.

I know in browsers you can hover over a link and see where exactly its taking you, but in most mobile browsers, its slightly more of a hassle to see that info quickly and effortlessly. People simply click to get where they wanna get. Especially on their phones. And now that this has surfaced... it's a little scary.


----------



## Quietlyawesome94 (Sep 26, 2012)

I'd be so tempted to post this on a warez site for Samsung devices.

'Want the latest and greatest Android game? Click the link below from your phone to download it!'

Exactly what the little fuckers deserve.


----------



## Just Another Gamer (Sep 27, 2012)

Quietlyawesome94 said:


> I'd be so tempted to post this on a warez site for Samsung devices.
> 
> 'Want the latest and greatest Android game? Click the link below from your phone to download it!'
> 
> Exactly what the little fuckers deserve.


----------

