Security Protection – Harry Waldron MVP Rotating Header Image

Android Mobile Security – Dirty USSD reset exploit

Further confirmation received that all Android devices may be affected where carriers or vendors have not yet provided patches.  An update is noted below:

http://securitywatch.pcmag.com/none/303186-my-android-device-is-vulnerable-to-a-dirty-ussd-hack-now-what

QUOTE: It turns out that the “Dirty USSD” exploit demonstrated yesterday on Samsung devices affects all Android devices running anything below Android 4.1.x aka Jelly Bean. Just to recap, the exploit (disclosed by researcher Ravi Borgaonkar at Ekoparty in Buenes Aires) uses the Android dialer to automatically “call” a USSD code (no user permission required!); the code can be spread through  legit-looking URL, an NFC attack, or a malicious QR code.  The most threatening USSD code, a factory reset, was specific to Samsung TouchWiz phones and has already been disabled by Samsung. However, there are many other USSD codes that work on different Android devices, though viaForensics’s Ted Eull said they aren’t so easy to find.

If you bought your device from a carrier, you are probably still vulnerable to this exploit. Unfortunately there’s not much you can do since the only entity that can update your OS is your carrier, which isn’t exactly known for timely patching (hello Android fragmentation). But all is not lost! Here are a few things you can do right now.

1. First, check if your Android phone is even vulnerable with a simple test Borgaonkar made. Click here from your phone’s browser. If you can see your IMEI, Borgaonkar advises, tongue in cheek, to disconnect from the Internet.

2. Use an alternative Android dialer, which will stop the automatic execution of any USSD code. Dialer One and exDialer are free, easy to use, and can be found in Google Play. After you install your new dialer, go to your browser and click this link (a website with an innocuous USSD code) and you’ll be prompted to complete the action with your stock Android phone, or with the dialer you just installed. Click the latter by default.

3. If you’re interested in learning more about how Android fragmentation affects device security, install X-Ray, a DARPA-funded security app from Duo Security. X-Ray simply checks which version of Android you’re running and lists all known privilege escalation vulnerabilities. Most of the vulnerabilities it detects can be exploited by a malicious app without asking for any special permissions. At the end, X-Ray shows you how to appeal to your carrier to release a prompt, OTA update.

Comments are closed.