Start New Discussion within our Mobile Development Community

Samsung has fixed the Unstructured Supplementary Service Data (USSD) exploit that could remotely wipe data from a Galaxy S III smartphone, but that doesn't mean the USSD threat is over: far from it in fact. According to some security researchers, 400 million Android device users are at risk from having their hardware bricked.

It's not just owners of the Samsung Galaxy S III that are vulnerable to this particular attack, or indeed just Samsung handsets at all as first thought. As is often the case, the discovery of a vulnerability leads to several new ways to exploit it and that's what has happened here. According to several IT security researchers, a new USSD attack variant is out there which works on a huge number of smartphones running the Android OS.

The new variant of the USSD exploit no longer worries about remotely wiping data from specific handsets, but instead now concentrates on killing your SIM card and bricking your expensive smartphone. The original exploit worked by tricking the owner into visiting a web page where a factory reset code inside an iframe was loaded via a 'tel:' uniform resource identifier. The dialer application on the handset will automatically execute the code, and perform a factory reset. Tricking, in this context, isn't just restricted to luring the unwary to click a rogue link but can actually also involve touching a rogue NFC tag (if the handset is NFC-enabled) or scanning a rogue QR code.

The new variant leverages a code which can change the PIN of a SIM card using the Personal Unblocking Key (PUK). By simply executing the code multiple times, with the wrong PUK, the SIM will automatically and permanently lock down. The only recourse being for the user to approach their network operator to get a new code. Until they do, their smartphone remains dumb and dead. Because the PUK approach is a standard SIM card feature, the exploit can impact upon just about any handset running the Android OS.

Unpatched Android devices are at risk, as the Android dialer doesn't differentiate between USSD codes and phone numbers. Unpatched devices ranging from Android version 2.3.x to Android version 4.1.x are all vulnerable to this new variant USSD SIM PUK attack.

At the moment, considering that very few Android devices will be patched against this exploit, the best defence would appear to come in the form of a couple of free tools from security vendors which will block the PUK changing attempts. Bitdefender USSD Wipe Stopper and ESET USSD Control are available free of charge from Google Play.

Attachments dweb-profilestalker.jpg 33.69 KB

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

Hello Davey,

your article has got warm welcome by me.
But is it necessary to disable this service?
if you have any discussion on that please reply me.


The article starter has earned a lot of community kudos, and such articles offer a bounty for quality replies.