James Mayes

Android dialler security flaw (and quick fix)

In Gadgets, Mobile on September 28, 2012 at 8:39 am

Noticed this one courtesy of Gareth earlier today. Flew through a couple of different sites researching and finding a fix I liked, thought I’d collate the info in one place.

There’s a recently exposed flaw on Android that will allow malicious web pages to use URL commands automatically. This means a site could potentially do a number of things, including auto-dial calls and force system level commands – potentially including a factory reset.

Not all phones seem to be vulnerable – but I’m running an HTC One X with 4.0.4 on board, and mine was indeed exposed.

First up, visit this page from your device to test it. If it automatically shows the IMEI number of your device, your handset is not secure. If the dialler opens, but gives you the CHOICE of whether or not to dial, you’re fine.

A little more bouncing around found me a great fix. Erik Thauvin released a quick install called NoUSSD (available for direct download or in the Android Play Store). Install that, tiny download, it will ensure any dial action in web pages is forced to give you the choice before the phone dials.

Hope this is useful.

 

  1. Thanks for this James – just used your guide and found my Galaxy S2 was also vulnerable. I can recommend the NoUSSD from the Play Store (FOC), appreciate it!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: