E-Threats Mobile & Gadgets

USSD Attack Could Kill SIM Cards on Androids

Following the remote wipe attack on some Samsung devices via a USSD code embedded in URL links with the “tel” prefix, QR codes and NFC-enabled cards, a new vulnerability in Android OS could affect millions of users.

The new USSD attack can change a SIM PIN and brute force a PUK lock, rendering the card unusable. The attack works by changing a card’s SIM PIN and trying the wrong PUK code several times, bricking the SIM card.

This attack is no longer limited to particular OS builds or devices, as all Android smartphones or tablets are vulnerable. Since the SIM PIN change code is standardized for Android devices, all users could be affected.

Android’s dialer picks up the USSD code from a maliciously crafted URL link and triggers the SIM PIN change by replacing the old PIN with a new one. Users only see notification of a successful PIN confirmation, but not the new PIN.

Unpatched Android devices could easily be bricked if several attempts at changing the SIM PIN and PUK code are made. Because the Android dialer fails to differentiate between USSD codes and phone numbers, unpatched tables and smartphones ranging from Android version 2.3.x to Android version 4.1.x are vulnerable to a SIM PIN change attack.

With a plethora of attack vectors that could deliver the code on users’ devices, we strongly encourage Android users to use the newly launched Bitdefender USSD Wipe Stopper that will keep them safe from all Android USSD attacks.

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.