Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/3/2012
10:14 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

ESET Releases ESET USSD Control To Prevent Dangerous Android Vulnerability

Security flaw allows cybercriminals to potentially take control of unprotected Android-based smartphones

SAN DIEGO, Oct. 3, 2012 /PRNewswire/ -- ESET, the leader in proactive protection celebrating 25 years of its technology this year, today announced the release of a special free app, ESET USSD Control, which removes and prevents the potentially dangerous Unstructured Supplementary Service Data (USSD) vulnerability flaw in certain Android-based smartphones. ESET is one of the first major antivirus vendors to provide the fix in the form of a free stand-alone app on Google Play. After installing the app, users should check whether their smartphone is open to such attack by undergoing ESET's USSD test.

This security flaw allows cybercriminals to potentially take control of millions of unprotected Android-based smartphones, essentially any device running Android 4.1.x or lower, through a text message or a QR code. After they take control they can remotely wipe out data from a user's phone.

"The ESET USSD Control application allows users to check potentially malicious phone numbers (USSD codes) before they are dialed by the default phone dialer and can block malicious websites, which abuse USSD codes associated with the vulnerability, ensuring all data on their Android phone stays safe," said Tibor Novosad, Head of the Mobile Applications Section at ESET.

The application displays a warning window every time a malicious USSD code is found, blocking the execution of the command. In order to protect smartphones from USSD attacks, the user has to set the ESET USSD Control application as a default dialer. ESET only scans USSD codes and does not store any dialed numbers.

How the USSD hack works

USSD is a code used by phone manufacturers and carriers for simple customer support. The code starts with an asterisk (*) and continues with hashtags or digits representing commands/data, then ends with a hashtag (#). By entering these codes on your phone you can see your device's International Mobile Equipment Identity (IMEI). The USSD code for this is *#06#. Other codes reveal different information or carry out actions, like a device reset, giving cybercriminals the ability to delete data or reset a phone remotely by initiating such requests.

ESET is actively following up on the most recent Android-related security issues; users can regularly check for more information on the ESET Threat Blog.

About ESET

ESET is on the forefront of security innovation, delivering trusted protection to make the Internet safer for businesses and consumers. IDC has recognized ESET as a top five corporate anti-malware vendor and one of the fastest growing companies in its category. Trusted by millions of users worldwide, ESET is one of the most recommended security solutions in the world. ESET NOD32 Antivirus consistently achieves the highest accolades in all types of comparative testing, and powers the virus and spyware detection in ESET Smart Security and ESET Cyber Security for Mac. ESET has global headquarters in Bratislava (Slovakia), with regional distribution centers in San Diego (U.S.), Buenos Aires (Argentina), and Singapore; with offices in Sao Paulo (Brazil) and Prague (Czech Republic). ESET has malware research centers in Bratislava, San Diego, Buenos Aires, Singapore, Prague, Kosice (Slovakia), Krakow (Poland), Montreal (Canada), Moscow (Russia), and an extensive partner network for 180 countries. For more information, visit http://www.eset.com/us or call +1 (619) 876-5400.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...