ESET Releases ESET USSD Control on Google Play to Prevent Dangerous Android USSD Vulnerability

ESET released a special free app, ESET USSD Control, mitigating a potentially very dangerous vulnerability flaw in certain Android-based smartphones. Smartphone and tablets powered by Android OS having 68.1% market share in India, according to IDC report for Q2 2012, are prone to dangerous USSD vulnerability. This allows malicious software to reset Android devices to its factory default settings and permanently delete users’ data.

The purpose of USSD (Unstructured Supplementary Service Data) codes (a code starting with asterisk *, continuing with hashtags # or digits, which represent commands or data, and ending with a hashtag) is that telecom operators can provide distance support for phone devices. By entering these codes on your phone you can, for example, by entering *#06# you can see your device’s IMEI (International Mobile Equipment Identity). Other codes reveal different information from your balance information or weather forecast or carry out actions, like a device reset.

The Android OS USSD Vulnerability allows the cyber-criminals to wipe the phone data remotely by making users to visit a URL, either directly or through a single text message, or a QR code. This attack was described by Ravishankar Borgaonkar, a research assistant in the Telecommunications Security department at the Technical University of Berlin, who demonstrated the remote data wiping attack during the Ekoparty security conference in Buenos Aires, Argentina.

ESET is one of the first major antivirus vendors to provide the fix in the form of a free stand-alone app on Google Play. After installing the app, user should check whether their smartphone is open to such attack by using ESET’s USSD test.

 “ESET USSD Control is an application that allows the user to check potentially malicious phone numbers (USSD codes) before they are dialed (executed) by the default phone dialer. It will block malicious websites as well. Checking for malicious codes before they are executed, ESET USSD Control makes sure all data on Android phone stay safe,” says Tibor Novosad, Head of Mobile Applications Section at ESET.

The app displays a warning window each time when a malicious USSD code is found, blocking the execution of the command. In order to protect smartphone from USSD attacks, user has to make sure that ESET USSD Control is set as a default dialer. Keeping users’ privacy as a first priority, ESET scans only USSD codes and is not storing dialed numbers.