An Android control code vulnerability originally reported as a Samsung problem in fact appears to affect most smartphones and UMTS tablets running Ice Cream Sandwich (version 4.0.x) or earlier versions of Android. Google updated the dialling software code in version 4.1.1 so that control codes are no longer executed automatically.

Most diallers based on the original Android dialler are therefore likely to be affected by the vulnerability. Reader comments on heise Security, The H's associates in Germany, bear this out, suggesting that some devices from almost every manufacturer are vulnerable. While it was originally thought that Sony (formerly Sony Ericsson) devices appear to be affected only where alternative firmware, such as CyanogenMod, is installed, there now have been reports that the original firmware is also vulnerable. On non-modded Sony devices, a dedicated Sony dialler takes care of control codes.

The current version of Android (4.1.x "Jelly Bean") is installed on only 1.2% of all active Android devices, largely due to the continued, and likely continuing, unavailability of updates to Jelly Bean for devices.

The problem with control codes is that the dialler executes them without requiring confirmation, whether they are typed into the on-screen keyboard by the user or passed to the dialler from a tel: URL on a web page. Whilst some codes are harmless, such as *#06# which merely displays the phone's 15 digit IMEI number, other codes can cause the SIM card to be irrevocably blocked. Samsung smartphones even support a code which runs a factory reset, deleting all user data stored on the phone. According to reports, other manufacturers such as HTC may have integrated similar commands.

The diversity of methods for addressing the dialler means that control codes can lurk almost anywhere – on web sites, in HTML emails, in WAP push messages and even in QR codes. How manufacturers will respond to the problem remains unclear. Users of older devices in particular should not get their hopes up that the manufacturer of their devices will release a security patch.

As exploitation of the vulnerability is trivial and details have been circulating online for some time, device users would be ill-advised to wait for a response from the manufacturer. The H advises users to install one of the many apps for blocking control code execution which are now available. TelStop and NoTelURL have now been joined by G Data's USSD Filter. Installing an alternative browser can also prevent execution of tel: URLs on web pages, but does not protect users from control codes in QR codes or elsewhere.

See also:

(djwm)