Last week it was heavily reported that a security flaw had been found in the software layer added to most Samsung Android devices. This was quickly patched by Samsung.
Today we learn that there has been a similar issue affecting almost ALL android devices.
Basically, a web page can be constructed to send a USSD code to the Android device and immediately wipe it. While this is clearly a serious matter it does rely on a user visiting a website and physically clicking on a link, but it could happen! Alternatively a malicious App could be written requiring a user to simply download and run the App.
The ‘bug’ is of little use to hackers, who can not gain anything fro the phone or make any money. A legitimate use is for network carrier to send a USSD code when a phone is lost or stolen.
This issue is confirmed as affecting earlier Andorid versions ( 2.3.x ,3.x Honeycomb, 4.0.x Ice Cream Sandwich). The current version, 4.1.x Jelly Bean, is unaffected.
Devices tested include Samsung Galaxy SIII, SII, S Advance, Ace and possibly more, HTC One Series, Sensation, Sensation XL and other HTCs, Motorola Droids, Sony Ericsson Xperia series.
Google fixed the problem three months ago and issued an over the air update, however some phones may be vulnerable if they are running custom versions on Android (those tweaked by Manufacturers and therefore not able to receive Google issued Android updates).
Is this another example of the benefits of sticking to the core Android operating system rather than a custom build?