If you wanted to see if that factory reset from the browser exploit is actually a thing, then watch the video below — it’s kind of mind blowing to think this is possible. The issue is clearly there on the Galaxy S II, however, the Galaxy S III is immune from this exploit from within the browser, but can happen via NFC, apparently.

Trevor Long from EFTM filmed the video below, showing a normal Samsung Galaxy S II reading a QR Code which sends it into the browser which has the exploit embedded on it. Straight away the factory reset screen comes up; giving you not even a second to yank the battery out to stop the process. Scary stuff.

Trevor has also confirmed that installing Dialer One and setting it as the default dialer on the Galaxy S II does stop this exploit from occuring.

Source: EFTM.

RELATED ARTICLESMORE FROM AUTHOR

10 Comments
newest
oldest
Inline Feedbacks
View all comments
Chris Rowe

Haven’t tested it but the reviews are 5 star….seems easily fixed with this third party app

https://play.google.com/store/apps/details?id=net.gicode.android.autoresetblocker&feature=search_result#?t=W251bGwsMSwyLDEsIm5ldC5naWNvZGUuYW5kcm9pZC5hdXRvcmVzZXRibG9ja2VyIl0.

maatsby

http://xkcd.com/937/

Kenny

My Desire Z running a CM9 spinoff (ICS) is vulnerable to the exploit as well. Could likely be an issue with the Dialer in ICS?

Myk

Has anyone checked this on the Galaxy Note?

Greg Bell

Running a link to test, my Nexus One running Cyanogenmod auto-executes USSD codes as well, so is vulnerable as well. It doesn’t recognize the code used here to reset the Samsung devices though as it’s device specific. If there is a factory reset code for the N1 the exploit should work on my phone though.

Test here: http://ninpo.qap.la/test/index.html

QR here: http://chart.apis.google.com/chart?cht=qr&chs=300×300&chl=http%3A//ninpo.qap.la/test/index.html&chld=H|0

If your IMEI is displayed then your phone is potentially vulnerable, as it executes USSD codes without user intervention.

Stephen Reeves

How long would it take for a patch? I have an SGSII, this is very scary. My QR code reader doesn’t directly open up links, but I’d rather not risk it.

Wolf Cocklin

doesn’t have to be a qr code… could be ANY link… the expolit is trigger via a webpage… open a short URL and bam… phone reset.

Dan Murphy

My SGSIII received an OTA update on the weekend through Optus.

Trevor Long

A patch itself – who knows! My advice is here: http://eftm.com.au/2012/09/how-to-keep-your-samsung-galaxy-sii-safe-from-automatic-factory-reset-8349

And remember, it doesn’t have to be a QR code, it could be a simple link in an email or tweet..

Wolf Cocklin

Yikes.