Be careful what links you click: A single line of HTML code can wipe the data on certain Samsung smartphones running Google’s Android software.

The issue is specific to Samsung phones that also use the company’s TouchWiz software, says SlashGear, which actually means most of the current Samsung smartphones. Google’s Galaxy Nexus, also made by Samsung, is not affected by the exploit, which was demonstrated by Ravi Borganokar at the Ekoparty security conference…

The short line of HTML code, Borganokar says, can also be executed through an embedded QR code or NFC wireless transfer. Even worse than an unintended factory restore or data wipe, this exploit can render the phone’s SIM card useless.

Some will surely condemn Android as a whole for this issue, but since it’s specific to Samsung’s TouchWiz software — likely as a feature to quickly dial phone numbers by way of links, QR codes or NFC data — the problem is limited to Samsung devices. I’d expect that Samsung releases a patch to disable the automatic phone dialing soon.

Samsung has a patch for the S3 available via OTA update.

As a long-time Android user, however, these security — or insecurity issues, rather — are getting old in general. I mainly use Android devices because they fit my mantra of “use the best tool for the task at hand.” As someone embedded deeply in Google’s world of apps and data, Android simply works better. Even my limits are getting tested though: An open platform that can be endlessly tweaked is great until the wrong folks are tweaking it.

So says Kevin Tofel at GigaOm.

UPDATE: As I noted an update is available for the S3. Kevin expects other models are rolling out soon.



  1. Oops says:

    Total app developer fail. Or blame it on QA? Who’s in charge?

  2. Peppeddu says:

    It was bound to happen.

    You have a huge code fragmentation in wild, most of them customized down to the core and no easy way to get to it (you have to go thru the carrier first)

    Good luck getting a patch for that.

    Solution, throw away the Android phone and get one with an OS that has a clear support lifecycle.

    • Derek says:

      I know! My EVO 4G is over 2 years old, yet I have Jelly Bean running! You know what I want? I want a manufacturer to tell me when I stop getting updates! That would be COOL!

    • SGS3 says:

      Yea, good luck getting a patch for that! oh, wait, my sgs3 already has the patch on it, and is not vulnerable… won’t be long until it’s on all of them

  3. bobbo, the pragmatic existential evangelical anti-theist says:

    I was thinking of installing the Android OS onto my computer just to play with it for awhile and download the “free app of the day” that is available everywhere.

    Then I thought… why bother. Now I can see I will do it so that I stop thinking about it. About 250 MB–should fit on an open partition I have. I was hoping I could run it within/with Windows.

    Is there an app for that?

    • Derek says:

      youtube.com/watch?v=ltadM2qRmoM

      • bobbo, the pragmatic existential evangelical anti-theist says:

        Thanks Derek: I didn’t find the Virtual Box discussion the first 2-3 times I googled this issue. I’ve downloaded it. 90 MB so its real small. Excellent! I have RAM to spare so thats good too.

        The guy on your link was hard to follow so the side bar had this one which is better for me.

        http://youtube.com/watch?v=FHZn-fdRAJo&feature=related

        Just what I wanted. Will angry birds or tetris be more fun now and why haven’t I found these for Win 7 yet? (free, of course!)

        • bobbo, the pragmatic existential evangelical anti-theist says:

          Looking it over a bit more, looks like all the Android Phone apps work via touch screen controls? I was thinking they would have a key pad that the desktop could use, but I can see how that is not so.

          Will Win 8 with its touch screen OS be any different?

          I’ve been going to buy an Old Iphone just to play music and have a camera. I use Skype for all phone calls.

          Pros and Cons, challenges to every non-standard usage we have. Those first person shooters on the Iphone look second rate compared to computer play.

          Always something. But Virtual Box is new to me. Should be able to use it for something else as well?

  4. ECA says:

    For those that dont get it…
    BITS/VIRUS are all you can get…Just wondering the NET..
    yes this is bad for samsung.
    But, consider all the HOLES under windows..

    With ADOBE, FLASH, HTML, and 7 other Markup languages floating around..

    It would be NICE if you goto a site and these Programs started up OUTSIDE(and sandboxed) in another window..NOT under IE or FF or Chrome..

    There are ways to PROTECT your systems, and MS should have done AT LEAST 1/2 of them..MOST protection isnt hard.

    I try to SCARE people abut the net..
    I also ask/instill into them the FIRST RULE(after I install protection) DONT PUSH THE BUTTON…

    I just received a Phishing email.. from my Net company.
    It wanted me to READ a PDF..
    (NO WAY IN HELL)
    so I called up my company, and they told me that OTHERS had found the same email..and it wasnt Theirs.

    I have many stories but wont give them here..

    ALSO for some of you.. MOST MAKERS build in a backdoor to FIX a system. Ask those HARDWARE IDIOTS out thee that mess up a router..

  5. sargasso_c says:

    I now have something to defend myself against the giggling hoards of Android users laughing at my Maps App.

    • Supreme Ultrahuman (I see the comment system is still designed for retards.) says:

      But, if you are using iPhone Maps, can you even find the hoards so they can giggle at you? 😉

  6. Captain Obvious says:

    Obviously the fix will be pushed to most people’s phone by 2016.

  7. immovableobject says:

    We interrupt the Apple bashing for this brief announcement.

  8. Admfubar says:

    let me inturppt the adroid bashing, this is samsung utility that has nothing to do with android code.. the exploit is in this utility.
    this is the trouble with using no free/non open source code. not enough eyes checking things..

  9. noname says:

    SAMSUNG product quality/reliability sucks, always has!

    Their products have allot of good “me-too” features, good specs and their styling is also good; but, as far as reliability and longevity, SAMSUNG Sucks!

    If first impressions and the purchase experience are all you care about, then SAMSUNG products are for you, you are their target market. If you expect reliability and longevity, buy something else!

    SAMSUNG business model is being only “good enough” with me-too products, which are mostly copy-takeoffs with some added differentiating features. Their products are designed to appear pretty good and be fairly priced and that about it.

    SAMSUNG buys their technology they don’t make or invent it!

  10. BigBoyBC says:

    It’s not a flaw, it’s a feature!

  11. John says:

    I totally agree. This is not really a Android issue. But a apps developer issue who simply did some bad coding. I think the next big malware out break will be on smart phones. Not sure if it will be Apple’s, Windows phones or Android phones. But they are the most vulnerable at this point.

  12. Captain Obvious says:

    You can check your Android since the problem is with the dialer itself. Obviously the problem isn’t just with Samsung phones.

  13. Hollie says:

    All week smartphone users with The Coupons App enjoy this FREE meal at Carino’s Italian Grill. Then take advantage of this 65% coupon savings at Elder-Beerman, 40% coupon savings at Burlington Coat Factory. $10 off at Michaels and 45% at TJX Companies. Free! http://thecouponsapp.com/download


0

Bad Behavior has blocked 4216 access attempts in the last 7 days.