Owners of the Samsung Galaxy S2 and S3 may be vulnerable to a flaw that could allow their personal data to be deleted from their device, a security researcher has discovered.
The malicious code, which is now circulating on the Internet, could trigger a factory reset of the popular handsets, according to Ravi Borgaonkar, a researcher in the Security in Communications department at Technical University Berlin, who demonstrated the vulnerability at the Ekoparty security conference in Argentina last week (see video below).
The flaw lies in the way Samsung's TouchWiz UI interacts with unstructured supplementary service data (USSD) codes, which execute commands on the handset's keypad. While most dialers require the user to hit the "send" button to complete the code, Samsung's does not, Borgaonkar said.
He showed how the flaw could be exploited on a Samsung Galaxy S3 via a single code embedded in a Web link, QR code, NFC connection, or SMS, supplying the correct factory reset code to wipe the device without warning the owner or asking for permission.
Borgaonkar also said it was possible to lock the SIM card, preventing owners from using many of the device's features. However, attacks can be prevented by turning off "service loading" in settings and disabling QR code and NFC apps, he said.
Samsung appears to be the only Android smartphone maker affected by the flaw, Borgaonkar said.
"It's possible to exploit this attack only on Samsung devices," he said.
Samsung said it has issued a software update to address the issue on the Galaxy S3 and is evaluating whether other models were affected.
"We believe this issue was isolated to early production devices, and devices currently available are not affected by this issue," the company said in a statement. "To ensure customers are fully protected, Samsung advises checking for software updates through the 'Settings: About device: Software update' menu. We are in the process of evaluating other Galaxy models."
Updated 9/26 at 9:35 a.m. PT with Samsung comment.