400 million Ice Cream Sandwich, Honeycomb and Gingerbread users urged to upgrade
Around 400 million people using Android devices are vulnerable to a new attack that wipes all data or disables phones and tablets, security experts have warned.
The very simple attack on a growing number of Android devices uses a flaw in the Unstructured Supplementary Service Data (USSD) code devices, which are used to communicate with the user's service provider's computers for tasks such as call back or balance enquiries.
The attack is launched automatically if someone visits a website on which the malicious code is embedded. It affects version of the Android operating system earliuer than Jelly Bean 4.1.
The code then tricks the USSD's automatic dialler feature, which makes placing phone calls easier while the user is browsing the web.
The Android device sees this code as a phone number, which then allows the hackers to repeatedly change the PIN code in the SIM or the personal unblocking, key (PUK). The attack also shows the phone's IMEI number.
There appear to be no financial motives behind this attack.
Alexandru Balan of Bitdefender said: "Most malware attacks are motivated by financial gain but not this one. The motive appears to be a prank or making life difficult for someone and it is so easy to carry out that anyone could do this and take revenge on someone."
The user will only realise this after the phone has been switched off and find they are unable to turn it back on as a different PIN has been set. It will also wipe all the data from Samsung devices. To use the device again the user has to get a new SIM from their service provider.
Only devices using Google's latest Android 4.1 Jelly Bean operating system are not vulnerable to this attack. There is also protection for the Samsung Galaxy S III.
However only around two per cent of Android users have Jelly Bean, and older devices will not upgrade to this OS. These people will have to protect themselves in other ways.
There is more about this exploit along with a video at the Dylan Reeve website.
Updating your subscription status