Threat Category: USSD
ID: CEL-25
Threat Description: Unstructured Supplementary Service Data (USSD) code execution causes mobile phone to autodial phone numbers. USSD code could be delivered via browser.
Threat Origin
Not Applicable, See Exploit or CVE Examples
Exploit Examples
Dirty USSD Code Could Automatically Wipe Your Samsung TouchWize Device (Updated) 1
Remote USSD Code Execution on Android Devices 2
CVE Examples
Not Applicable
Possible Countermeasures
Choose devices without a USSD software stack.
Mobile Device UserChoose devices without a USSD software stack.
Choose devices that will not execute USSD codes without user confirmation.
EnterpriseChoose devices that will not execute USSD codes without user confirmation.
References
M. Smith, “‘Dirty USSD’ Code Could Automatically Wipe Your Samsung TouchWize Device (Updated)”, Engadget, 25 Oct. 2012; https://www.engadget.com/2012/09/25/dirty-ussd-code-samsung-hack-wipe/ [accessed 8/29/2016] ↩
“Remote USSD Code Execution on Android Devices”, 29 Oct. 2012, https://www.nowsecure.com/blog/2012/09/25/remote-ussd-code-execution-on-android-devices/ [accessed 8/29/2016] ↩