We posted a story last week where Android phones, the S III in particular, could be compromised via NFC, and this week, we have one that definitely beats it. In last week’s story, the major risk was that the person who gained access could suck down all of your data, while with this recently-unveiled exploit, you could quickly find your phone completely reset. Data gone, configuration gone, and probably your day gone.
The exploit was shown off at the Ekparty 2012 security conference in Argentina, and unlike last week’s finding, which required at least 185 triggers of the exploit, this one requires no more than a single line of code. You’d imagine such a line of code would be difficult to execute, but no – it just requires you to visit a URL with your browser with the code embedded into it. Yes, it really seems to be that easy.
It’s important to note that not all Android devices are at risk here, but rather just Samsung’s Galaxy S III (I don’t remember seeing mention of this in the company’s recent ad!), or other Samsung devices running the same version of its back-end software. The hole exists within the Unstructured Supplementary Service Data, which is how the phone sends messages to the application server. Send this particular message, and the phone proceeds to wipe itself – no questions asked.
Android exploits are hardly limited to Samsung, but with its Galaxy S III having reached such popularity, it was inevitable that it would be singled out. With the complexity of last week’s exploit, there really was no reason for anyone to be alarmed, but with this? If a single line of code can wipe out your device, then this needs to be something that Samsung issues an update for, and fast. As always, use caution when you browse either your e-mail or the Web – you never know who’s out there trying to ruin your day.