Masses of Android handsets including the Samsung Galaxy S3, Galaxy S2, HTC One X and HTC Desire can be wiped just by visiting a malicious website that implants particular code in web links, security experts have cautioned. A user with a susceptible handset who visits a page and clicks a link holding the malicious code would see their phone wiped, dropping personal data such as photos and texts as well as replaceable data such as contact details and apps.

samsung smartphones vunerable

Security Loophole

The error is caused by a security loophole in some versions of Android’s dialler software, which lets the “tel:” URL prefix to be used on a webpage to execute functions on the phone’s dialling software. Generally that is suitable for functions such as initiating a call on the handset directly from a site. But the tel: prefix can also be used to pass a string of non-numeric data to the dialler. Special strings of characters can perform other tasks; for example typing #06# on the dialler will show a phone’s IMEI number.

So if you have a Droid this is the reason you don’t want to type #*2767*3855#”

The flaw exploits a string that triggers a factory reset of some phones because they do not force a user interaction before executing the function programmed in the string. The code would have to be embedded as a link to cause the user to start it – but it would be easy to characterise it as an innocent link to Google or any site. Pressing the link would begin the wiping of data.

Jelly Bean Loaded Phones Will Remain Harmless

Dylan Reeve, a New Zealand-based TV editor who first brought the failing to public notice, says that Samsung Galaxy phones which use Android 4.1 will be harmless from the hack. But that still leaves millions of Galaxy S2 and some S3 handsets which will not have had the right revision of the firmware rolled out to them and which could be infected.

Although the susceptibility was fixed in Android’s main code earlier this year, that code has not been broadcasted to every handset in use. The fact that the problem was present in handsets from Samsung and HTC – the two main vendors of Android handsets – also suggests that a huge number of existing handsets could contain the outdated code.