There has been quite a lot of concern about the flaw in some Android phones, including some Samsung Galaxy S3 devices, that allows a hacker to create a simple HTML page which can cause the phone to reset and wipe all of its data. Unstructured Supplementary Service Data (USSD) commands can be issued due to a combination of flaws in the stock Android web browser and the Android dialer.
To help worried Android users, Bitdefender has released Wipe Stopper which warns users of any attempt to run a USSD command on their device, allowing them to prevent their phones from executing the malicious commands. The way the app works is to register itself as a alternative app for receiving USSD commands along with the phone dialer. When a USSD command is run via the web browser the user can choose between the dialer or Wipe Stopper. Setting Wipe Stopper as the default means that all USSD commands issued via the web will be intercepted. Once the USSD command has been caught, Wipe Stopper offers the user the chance to continue to the dialer or cancel the action.
“The moment the vulnerability came to light, Bitdefender set some of the best minds in the industry to working,” said Bitdefender Chief Security Researcher Alexandru Balan. “We came up with the best solution available – Bitdefender Wipe Stopper. It’s free, so we recommend pretty much every Android owner use it.”
The app also offers a test link which will open a page on Bitdefender’s website and ask for the phone to return its IMEI via a USSD command. If the IMEI is returned it means that all and any USSD commands can be issued via a web page, including the commands to wipe the phone and restore it to its factory defaults.
I tested it on my HTC One S, which it turns out is vulnerable, but now thanks to Wipe Stopper I am now protected. I also tested my carrier’s native app (which also issues USSD commands) and thankfully it runs normally, even with Wipe Stopper installed.
You can download BitDefender’s Wipe Stopper from Google Play.
But all these intercept regular dial phone number commands which is quite annoying
@morris try it out. You’ll see that it will not interfere at all with any normal phone bevahior. All regular phone numbers are transparently directed to the phone dialer