Following the remote wipe attack on some Samsung devices via a USSD code embedded in URL links with the â€œtelâ€ prefix, QR codes and NFC-enabled cards, a new vulnerability in Android OS could affect millions of users.
The new USSD attack can change a SIM PIN and brute force a PUK lock, rendering the card unusable. The attack works by changing a cardâ€™s SIM PIN and trying the wrong PUK code several times, bricking the SIM card.
This attack is no longer limited to particular OS builds or devices, as all Android smartphones or tablets are vulnerable. Since the SIM PIN change code is standardized for Android devices, all users could be affected.
Androidâ€™s dialer picks up the USSD code from a maliciously crafted URL link and triggers the SIM PIN change by replacing the old PIN with a new one. Users only see notification of a successful PIN confirmation, but not the new PIN.
Unpatched Android devices could easily be bricked if several attempts at changing the SIM PIN and PUK code are made. Because the Android dialer fails to differentiate between USSD codes and phone numbers, unpatched tables and smartphones ranging from Android version 2.3.x to Android version 4.1.x are vulnerable to a SIM PIN change attack.
With a plethora of attack vectors that could deliver the code on usersâ€™ devices, we strongly encourage Android users to use the newly launched Bitdefender USSD Wipe Stopper that will keep them safe from all Android USSD attacks.