It turns out that the "Dirty USSD" vulnerability demonstrated yesterday on Samsung devices affects all Android devices running anything below Android 4.1.x aka Jelly Bean.

It turns out that the "Dirty USSD" exploit demonstrated yesterday on Samsung devices affects all Android devices running anything below Android 4.1.x aka Jelly Bean.

Just to recap, the exploit (disclosed by researcher Ravi Borgaonkar at Ekoparty in Buenes Aires) uses the Android dialer to automatically "call" a USSD code (no user permission required!); the code can be spread through legit-looking URL, an NFC attack, or a malicious QR code.

The most threatening USSD code, a factory reset, was specific to Samsung TouchWiz phones and has already been disabled by Samsung. However, there are many other USSD codes that work on different Android devices, though viaForensics's Ted Eull said they aren't so easy to find.

At first we thought the vulnerability involved a combination of the Android dialer and the stock browser, but turns out it has nothing to do with the browser. Mobile security consultancy viaForensics was able to replicate the exploit with Firefox and Dolphin browsers, and concluded that the problem is just the Android dialler.

Google has already released an over-the-air (OTA) patch for its own, unlocked Galaxy Nexus devices, which should now all be running at least Android 4.1.1 by now.

Mitigation:

If you bought your device from a carrier, you are probably still vulnerable to this exploit. Unfortunately there's not much you can do since the only entity that can update your OS is your carrier, which isn't exactly known for timely patching (hello Android fragmentation). But all is not lost! Here are a few things you can do right now.

1. First, check if your Android phone is even vulnerable with a simple test Borgaonkar made. Click here from your phone's browser. If you can see your IMEI, Borgaonkar advises, tongue in cheek, to disconnect from the Internet.

2. Use an alternative Android dialer, which will stop the automatic execution of any USSD code. Dialer One and exDialer are free, easy to use, and can be found in Google Play. After you install your new dialer, go to your browser and click this link (a website with an innocuous USSD code) and you'll be prompted to complete the action with your stock Android phone, or with the dialer you just installed. Click the latter by default.

3. If you're interested in learning more about how Android fragmentation affects device security, install X-Ray, a DARPA-funded security app from Duo Security. X-Ray simply checks which version of Android you're running and lists all known privilege escalation vulnerabilities. Most of the vulnerabilities it detects can be exploited by a malicious app without asking for any special permissions. At the end, X-Ray shows you how to appeal to your carrier to release a prompt, OTA update.