Test your Android phone for the web browser hard-reset exploit

About The Author

CNET Editor

Joe capitalises on a life-long love of blinking lights and upbeat MIDI soundtracks covering the latest developments in smartphones and tablet computers. When not ruining his eyesight staring at small screens, Joe ruins his eyesight playing video games and watching movies. Twitter: @Joseph_Hanlon

It has been revealed that some Android-powered products are vulnerable to a browser-based exploit that will hard reset the phone and wipe all of your data.

The exploit has come to our attention via a demonstration posted to YouTube shot at Ekoparty 2012 (video above), showing how a direct-dial feature in the stock Android browser can execute a USSD service call and launch a command to wipe the phone. The problem, of course, is that if you see on your phone what is demonstrated in the video, it's already too late.

To test whether your phone is vulnerable to an attack, you can follow this link through your phone's stock browser. This will execute a similar process to the exploit, but instead of the service call wiping the phone, it will display your phone's IMEI number. If you see the IMEI number, your phone is vulnerable. If it only launches the phone's dialler without placing the service call, you should be OK. We tested this link with a new Galaxy S3 4G, and were pleased that while the dialler launched, the USSD code wasn't executed.

If you are vulnerable, see whether you can update the firmware on your phone. The latest information is suggesting that this is an older issue with Android products, and that the bug has been squashed in the most recent firmware builds for many of the latest phones.

If you can't find new firmware for your phone, and you feel that your data might be at risk, make sure that you make a backup of the items you'd hate to lose. There are numerous backup apps available on the Play Store that can back up sensitive data like SMSes and settings, along with standard data items like media files.

Add Your Comment 21

Post comment as

Im Batman posted a comment   

Interesting wee exploit.
The results from the website test say that non samsung phones are okay.
From what i have seen else where, this eploit is only for Samsung Touch-wiz phones, other phones might respond to the test but there is not contain the same code for factory reset


pm4r5h posted a comment   

Samsung Galaxy S2 I9000T

Running NeatROM 4.0.3

Vulnerable on all of Stock browser, Chrome and Firefox


Chandler posted a comment   

Results from Samsung Galaxy Nexus (running Android 4.1.1 - Jelly Bean):

Dialer appears and has the *#06# code pre-inserted, but doesn't make the call - so all good, yeah?

Tested both in Chrome and stock Browser.


Will1505 posted a reply   

Yeah stock android shows that, i'm assuming its ok


BrandonS1 posted a comment   

LG-p999 T-Mobile G2x vulnerable.


DavidM7 posted a comment   

Sony Xperia Active is vulnerable. The 4.0 upgrade promised earlier in the year is still not released for my exact phone despite me buying it outright.
If it gets wiped I'll just throw it away and buy a new phone.


RickyS posted a comment   

Tested on HTC One XL , stock browser. My IMEI was displayed.


mikey74 posted a comment   

Tested with Samsung Galaxy S2 with CyanogenMod 10 (Jelly Bean) with Stock Browser and with Chrome and it is safe for both!


JohnB15 posted a comment   

what if it displays an MEID number?galaxy s2 sprint 4.0.4


Will1505 posted a reply   

As stated in the article, if the IMEI is shown, your phone is vulnerable.

Sponsored Links

Recently Viewed Products