Exclamation The problem - and a solution

The issue has nothing to do with the browser. I've tested on ICS with Chrome, default browser and Dolphin - all behave the same way.

Test here: dylanreeve DOT com/phone.php (uses IMEI display USSD - it's totally safe).

The issue is with the stock dialer. If you can prevent that dialer from handling the tel: URL then you can either prevent or at least intervene in attack attempts. So the solution is... Install another dialer (probably any other dialer).

dylanreeve.posterous DOT com/remote-ussd-attack

(I can't post URLs yet)