Smartphones running older versions of Android could also suffer from a wipe out by clicking on a single HTML link, which is the same security vulnerability that affects the Samsung Galaxy S III devices.
At first, a researcher from Germany’s Technical University Berlin, Ravi Borgaonkar, showed at the Ekoparty security conference in Argentina how he could wipe a Samsung Galaxy S III smartphone just by clicking on a single HTML link.
The USSD code to execute the wipe command could embed into a link or QR code, or sent to the device over a near-frequency-communications connection, Borgaonkar said. Just by clicking on the link in an email, Website, and even on social networks such as Twitter, was enough to trigger the command.
Samsung said they fixed the vulnerability through a software update and encouraged users to use the Over-the-Air capability to download the fix.
“We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update,” Samsung said.
While Borgaonkar’s presentation focused on Samsung Galaxy S III phones, he said later the vulnerability hit a wider pool of Android devices. So along those lines, Researcher Dylan Reeve verified the problem existed on an HTC One X running HTC Sense 4.0 on Android 4.0.3 (Ice Cream Sandwich) and a Motorola Defy running Cyanogen Mod 7 on Android 2.3.5 (Gingerbread).
The flaw appeared to originate in older versions of Google’s Android operating system, according to tests run by the Android Police blog. It turns out the vulnerability was in the standard Android dialer. While the vulnerability ended up fixed in the Android OS three months ago, many devices remained vulnerable because device manufacturers did not patch the flaw on their custom versions of Android and carriers did not push out a fix to their customers.