How to disable SIM-killing USSD PUK attack that has spread to all Androids


Samsung has fixed the Unstructured Supplementary Service Data (USSD) exploit that could remotely wipe data from a Galaxy S III smartphone, but that doesn't mean the USSD threat is over: far from it in fact. According to some security researchers, 400 million Android device users are at risk from having their hardware bricked.

It's not just owners of the Samsung Galaxy S III that are vulnerable to this particular attack, or indeed just Samsung handsets at all as first thought. As is often the case, the discovery of a vulnerability leads to several new ways to exploit it and that's what has happened here. According to several IT security researchers, a new USSD attack variant is out there which works on a huge number of smartphones running the Android OS.

The new variant of the USSD exploit no longer worries about remotely wiping data from specific handsets, but instead now concentrates on killing your SIM card and bricking your expensive smartphone. The original exploit worked by tricking the owner into visiting a web page where a factory reset code inside an iframe was loaded via a 'tel:' uniform resource identifier. The dialer application on the handset will automatically execute the code, and perform a factory reset. Tricking, in this context, isn't just restricted to luring the unwary to click a rogue link but can actually also involve touching a rogue NFC tag (if the handset is NFC-enabled) or scanning a rogue QR code.

The new variant leverages a code which can change the PIN of a SIM card using the Personal Unblocking Key (PUK). By simply executing the code multiple times, with the wrong PUK, the SIM will automatically and permanently lock down. The only recourse being for the user to approach their network operator to get a new code. Until they do, their smartphone remains dumb and dead. Because the PUK approach is a standard SIM card feature, the exploit can impact upon just about any handset running the Android OS.

Unpatched Android devices are at risk, as the Android dialer doesn't differentiate between USSD codes and phone numbers. Unpatched devices ranging from Android version 2.3.x to Android version 4.1.x are all vulnerable to this new variant USSD SIM PUK attack.

At the moment, considering that very few Android devices will be patched against this exploit, the best defence would appear to come in the form of a couple of free tools from security vendors which will block the PUK changing attempts. Bitdefender USSD Wipe Stopper and ESET USSD Control are available free of charge from Google Play.

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

solutionsinfini 0 Newbie Poster

Hello Davey,

your article has got warm welcome by me.
But is it necessary to disable this service?
if you have any discussion on that please reply me.


Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.20 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.