Android Central

Update, 7:40am EDT: Samsung tells us it's "currently in the process of conducting an internal review" into the situation with on the Galaxy S2 and other affected phones. Our own testing, and reports from readers, suggests that devices like the Galaxy S2 and Galaxy Note remain vulnerable to the USSD exploit.

Original story: Yesterday we reported on a particularly nasty security vulnerability in some Samsung smartphones, which could lead to a factory reset being triggered upon visiting a website containing malicious code. Phones confirmed to be affected included the Galaxy S2, Galaxy Beam and Galaxy Ace. Our testing on various Galaxy S3 models was inconclusive, though. Some models seemed vulnerable, while others were immune.

This morning, we have official confirmation from Samsung that Galaxy S3's around the world should indeed be protected from this exploit, assuming they're running the latest software update.

"We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update.

We recommend all GALAXY S III customers to download the latest software update, which can be done quickly and easily via the Over-The-Air (OTA) service."

Like Samsung, we always recommend keeping your phone up-to-date with the latest firmware. So if your Galaxy S3 phone is up-to-date, you shouldn't have anything to worry about. Of course, there's nothing in that statement about Galaxy S2-class devices, which our own tests, and reports from readers, have shown are still very much at risk from this latest vulnerability. We're sure Samsung will be hurriedly preparing updates for those devices, now that this exploit method is out in the open. Nevertheless, we'll update you with any new info they provide on the Galaxy S2 or other phones.

In the meantime, if you're still concerned that your Samsung phone may be vulnerable to the USSD bug, you can check our quick, easy USSD vulnerability test to see if you're protected or not.

 

Reader comments

Samsung: Galaxy S3 already updated with USSD exploit fix, reviewing situation with other phones [updated]

11 Comments

The dialer is called and the IMEI command is seen very very briefly but no IMEI code is displayed.
That's what I get on mine anyway, I hope that means it's safe...

I just got the L7 OTA from verizon, and now when running the test it shows the dialer and briefly the *06* but the dialer goes blank... is that what you are describing? if thats the case then yes its safe, the dialer is "fixed" to reject codes sent in from other apps.

Galaxy Note, latest official rom, still waiting for the exploit fix. I did notice that the Note is not mentioned in this article; yet the exploit exists.

"We recommend all GALAXY S III customers to download the latest software update, which can be done quickly and easily via the Over-The-Air (OTA) service."

okay so my GSIII says I'm up to date- but it might have been nice for the message from samsung to be a bit more descriptive- like:

We recommend all GALAXY S III customers to download the latest software update, for t-mobile users your build number should be T999UVALH2. For Verizon users, etc. which can be done quickly and easily via the Over-The-Air (OTA) service."

I'm at T999UVALH2, does that mean I've gotten the update?

It's not just Samsung phones. My Motorola Atrix 4G (running stock Gingerbread 2.3.6) is affected too (while my wife's updated Sammy Galaxy S III was fine).

Hi there,

Just wanted to let you know that we (Bitdefender) already released a tool on the Play Store that protects against this vulnerability. Now, once you would tap on a exploiting link, Bitdefender will intercept the wipe command and ask you to decide what to do next. You may, if unsure, dismiss the USSD command.

You can download it from: http://bit.ly/BD_USSD_Wipe_Stopper

/Alin Vlad
Global Social Media Coordinator at Bitdefender