[APP][FREE][Non-root] USSD vulnerability fix

pandata000 · 12:57 PM

[APP][FREE][Non-root] USSD vulnerability fix

Hi XDA's !

I made a quite simple, small and free app that will help you to fix the recent showed USSD/MMI vulnerability which affects many android devices.

For reference: http://www.youtube.com/watch?v=Q2-0B04HPhs

Most Samsung phones are fixed to data wipe (there's not reported MMI command for HTCs), but still MANY Android devices are vulnerable to MMI commands including PIN code change ones, that can block your SIM card, after executing MMI command for PIN change more than 10 times with wrong PIN (for example malicious URL with 10 frames with PIN change instruction).

Please follow the installation instructions below:

1. Check if your phone is vulnerable - open your mobile browser and navigate to: http://goo.gl/4IWgL (or use the barcode below)
2. If your phone is vulnerable you will see your IMEI number displayed.

This means that service MMI commands can be executed on your phone, when you visit a malicious web page. The MMI commands are service commands, and if you see the IMEI it doesn't mean that your phone is vulnerable to the Samsungs data wipe vulnerability. BUT an attacker can still block your SIM card issuing a MMI string to change your PIN code more than 10 times. Finally your SIM card will be blocked.

3. If DON'T see the IMEI number, you are safe and you don't need this app

4. If you see a popup with your IMEI number, then install this app from Google Play (click on install button on the the left).
5. Once you install the app navigate again to: http://goo.gl/4IWgL (or use the barcode below)
6. Your phone will ask you how to complete the action. Choose USSDFix and mark it as default for this action.
7. You will see a notification that your phone tries to open a page that contains a USSD call and will block it.
8. Your phone is safe now !

* No background processes
* No services in memory
* No ads
* Hidden launcher

Use this barcode to test your phone:

NOTE: The app uses a hidden launcher and will not appear in the list of the other apps on your phone desktop. If you want to remove the program, please navigate to Settings / Manage Applications and then remove "USSDfix" app.

The app is available on Google Play: https://play.google.com/store/apps/d...pycell.ussdfix

hsz# · 27th September 2012, 02:00 PM

How do you check if number is USSD ?

pandata000 · 27th September 2012, 02:07 PM

Quote:

Originally Posted by hsz#

How do you check if number is USSD ?

First it handles calls from browser like "tel:", then it checks for * and %23 (#) in the dialed string.

tomer1981 · 27th September 2012, 03:01 PM

Are the HTC's vulnerable too? and the Sense 4?

pandata000 · 27th September 2012, 03:03 PM

Unfortunately some HTC's are. You can test yours using the URL provided in the thread (or using the barcode scanner).

tomer1981 · 27th September 2012, 03:45 PM

Quote:

Originally Posted by pandata000

Unfortunately some HTC's are. You can test yours using the URL provided in the thread (or using the barcode scanner).

Tested the vulnerability with stock browser and dolphin on sense 4.1. Both times I got to see my IMEI.
Installed patch app, and now it works. Very clever how you did this. Thanks !!
Is anyone brave enough to test this on a real-wiping-all-the-data link?

qandrav · 03:56 PM

thanks a lot I have a zte gingerbread and I cannot update to jellybean so my phone is vulnerable...I've found a similar app on market but it's incompatible, yours is totally good for my phone!!!thank you!

as soon as you publish on play store I'l give you 5 stars obviously!!!

Quote:

Is anyone brave enough to test this on a real-wiping-all-the-data link?

I have no time right now, maybe in the we can be funny to try !!!!

.xxx. · 27th September 2012, 03:54 PM

Checked!! So, installed!! Did process!! But in the bottom of my heart, i don't know why i did that :-/ anyone bother to explain it to me?

Sent from Hell!!

pandata000 · 27th September 2012, 03:54 PM

Thank you qandrav ! It's posted there, but still waits approval.

pandata000 · 27th September 2012, 03:56 PM

Quote:

Originally Posted by .xxx.

Checked!! So, installed!! Did process!! But in the bottom of my heart, i don't know why i did that :-/ anyone bother to explain it to me?

Sent from Hell!!

The problem is that if you open a malicious URL in your browser, the browser can send a USSD command tothe dialer to factory reset your phone.

I hope that they will fix this soon, but if you are vulnerable and cannot update your phone you are at risk.