Mobile Threat Catalogue

Unauthorized USSD Code Autodial

Contribute

Threat Category: USSD

ID: CEL-25

Threat Description: Unstructured Supplementary Service Data (USSD) code execution causes mobile phone to autodial phone numbers. USSD code could be delivered via browser.

Threat Origin

Not Applicable, See Exploit or CVE Examples

Exploit Examples

Dirty USSD Code Could Automatically Wipe Your Samsung TouchWize Device (Updated) 1

Remote USSD Code Execution on Android Devices 2

CVE Examples

Not Applicable

Possible Countermeasures

Enterprises

Choose devices without a USSD software stack.

Mobile Device User

Choose devices without a USSD software stack.

Choose devices that will not execute USSD codes without user confirmation.

Enterprise

Choose devices that will not execute USSD codes without user confirmation.

References

  1. M. Smith, “‘Dirty USSD’ Code Could Automatically Wipe Your Samsung TouchWize Device (Updated)”, Engadget, 25 Oct. 2012; https://www.engadget.com/2012/09/25/dirty-ussd-code-samsung-hack-wipe/ [accessed 8/29/2016] 

  2. “Remote USSD Code Execution on Android Devices”, 29 Oct. 2012, https://www.nowsecure.com/blog/2012/09/25/remote-ussd-code-execution-on-android-devices/ [accessed 8/29/2016]