"Feature" was meant to make phone techs' lives easier, but turns out to be gaping security hole

One of the biggest Android vulnerabilities to date was discovered this week, but not in Google Inc.'s (GOOG) Android OS itself.  The vulnerability was found in Samsung Electronics Comp., Ltd.'s (KSC:005930) TouchWiz UI and allows malicious users to direct unwitting Samsung Android owners to webpages with frames that contain a reset code to wipe their device clean.

Google has long grunted and grumbled about OEMs desire to "skin" Android with custom UI experiences.  It originally was looking to kill off the practice, but it has since relented, allowing TouchWiz UI and other custom Android UIs to persist.

The vulnerability in TouchWiz reportedly affects multiple devices including the best-selling Galaxy S II, plus many lesser-known Samsung handsets like the Galaxy Beam.  The vulnerability involves sending the code *2767*3855# to the phone's dialer, which triggers a factory reset.

Samsung's Android build allows websites to contain the code <frame src="tel:..."> which auto-launches a call to a phone number when you click on the pertinent object.  Using this vulnerability, the clickable wiping item could be hidden in all manner of website images or links.

Galaxy S II
The vulnerability was first discovered by Android enthusiast Pau Oliva (Note: contrary to his comment, the Galaxy S3 does not autocall the number, though this is the case on the S II). 

Fortunately some newer Galaxy phones (such as the Galaxy S III) have a slightly toned down version of TouchWiz, which will only bring up the number in the dialer app, not automatically initiate the call.  Hence while the reset code indeed works, the danger to the owners of certain Samsung phones is minimal given that they would have to accidentally hit the call button after the reset code came up to complete the wipe on those devices.

For owners of older devices the call reportedly auto-initiates leaving the user with no escape.

According to The Verge Samsung says it's "looking into" these reports.  Pau Oliva, a telecom engineer and Android enthusiast, was first reported on the vulnerability via Twitter.

Sources: Pau Oliva [Twitter], The Verge

"Can anyone tell me what MobileMe is supposed to do?... So why the f*** doesn't it do that?" -- Steve Jobs

Latest Headlines
Are You in the Market for Earphones?
March 24, 2017, 7:35 AM
Samsung Galaxy S8, Rumored Launch Date!
March 18, 2017, 6:45 AM
How about Leica Cameras
March 13, 2017, 6:30 AM
A Baseball Cap With Camera
March 3, 2017, 7:00 AM
Nokia 3310 with longer battery life
February 28, 2017, 7:05 AM

Latest Blog Posts
More Apps From Google
Saimin Nidarson - Mar 28, 2017, 7:15 AM
What else to worry about?
Saimin Nidarson - Mar 17, 2017, 6:45 AM
Todays’ Life
Saimin Nidarson - Mar 14, 2017, 7:30 AM
News and Tips
Saimin Nidarson - Mar 13, 2017, 6:30 AM
Some News
Saimin Nidarson - Mar 8, 2017, 7:09 AM
Saimin Nidarson - Mar 7, 2017, 8:45 AM
World news 3-6
Saimin Nidarson - Mar 6, 2017, 5:40 AM
Mixed News
Saimin Nidarson - Mar 4, 2017, 7:40 AM
Mixed News of the Day
Saimin Nidarson - Mar 4, 2017, 6:32 AM
Mixed News of The World:
Saimin Nidarson - Mar 2, 2017, 7:02 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki