USSD Exploit Can Lock All Android Phone SIM Cards

While only a certain brand of smartphones was vulnerable to being wiped via an USSD command embedded in webpages, the locking of SIM cards is possible with most any Android phone.

The victim just needs to have the phone access a maliciously-formed “tel:” URI, such as by visiting a web page with an embedded iframe. When the mobile browser loads it, the embedded USSD command (in this case, the PIN or PUK change command) is executed, without need for confirmation from the user.

After a number of attempts using the wrong PUK, the SIM card is locked and requires a new PUK number to be re-activated.

We strongly recommend that Android users install Bitdefender USSD Wipe Stopper, which has been updated to reflect this threat scenario.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking. Razvan Stoica started off writing for a science monthly and was the chief editor of a science fiction magazine for a short while before moving on to the University of Medicine in Bucharest where he lectured on the English language. Recruited by Bitdefender in 2004 to add zest to the company's online presence, he has fulfilled a bevy of roles within the company since. In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.


Click here to post a comment