One simple line of code embedded on a Web page can trigger a factory reset or lock the SIM card on top-of-the-line Samsung phones, a researcher has discovered.
At the Ekoparty security conference in Buenos Aires, Argentina, last week, Technical University of Berlin researcher Ravi Borgaonkar demonstrated how a text message, NFC connection or QR code could cause a Android phone running Samsung's proprietary TouchWiz interface — in this case, a Galaxy S III — to undergo a data loss without warning.
Borgaonkar said the exploitable flaws lie in the way the Galaxy S III and other Samsung phones with TouchWiz use Unstructured Supplementary Service Data to communicate with application servers.
If sent to a Web page with the malicious code "*2767*3855#" embedded in a simple frame, the phone will revert to its factory settings. Manually browsing to the Web page, however, will not activate the code.
[ 10 Tips to Keep Your Android Phone Safe ]
Some readers of the tech blog TheNextWeb reported that the mobile version of Chrome did not allow the code to execute. (Borgaonkar used the default Android browser.)
The tech blog also reported that the Samsung Galaxy S II, Galaxy S III, Galaxy S Advance, Galaxy Ace and Galaxy Beam are also vulnerable to this security flaw.
The security hole does not affect Samsung phones that run the standard Android operating system without the TouchWiz interface, such as the Galaxy Nexus.
Different TouchWiz-enabled phones may be affected differently. In some phones the code might trigger a factory reset, but in others it could cause the SIM card to lock out the legtimate user.
In TheNextWeb's own tests on a Galaxy SIII running Jelly Bean (Android 4.1), the reset code was loaded but did not automatically execute. At Ekoparty, the hack was demonstrated on Ice Cream Sandwich OS (Android 4.0), which may indicate that the exploit was somehow patched in the more recent version of Android.
The Android Police website seemed to think the problem lies with Android itself, rather than the TouchWiz interface, and said that recent over-the-air updates pushed out to Galaxy S III's by the major American carriers would neutralize the exploit.
Borgoankar today tweeted out the URL of a webpage that he said would reveal whether a phone was vulnerable: http://www.isk.kth.se/~rbbo/testussd.html.
A SecurityNewsDaily test using a T-Mobile Samsung Galaxy S III showed no results, but PC Magazine was able to demonstrate the vulnerability on a Verizon Wireless Samsung Galaxy S III.
The apparent flaw in the TouchWiz interface highlights an inherent problem in the way Android is distributed and marketed. Each new piece of code added by phone makers and wireless carriers to Google's stock Android alters the security situation, with the result often being the introduction of hidden vulnerabilities.
Follow Ben on Twitter.