Some Samsung Galaxy devices vulnerable to malicious HTML hack (Updated)

Potentially bad news for Samsung device owners today. A number of Samsung Galaxy devices running Samsung’s TouchWiz UI have been found to be vulnerable to a malicious hack that could wipe them clean. The exploit occurs when a website runs a USSD code (essentially a dialer code) via the browser to trigger the full factory reset. It can also be triggered with a QR code or by NFC. Among the devices that are affected are the Galaxy S II, Galaxy Beam, and Galaxy Ace.

The exploit was demonstrated by Ravi Borgaonkar, a researcher at the Technical University Berlin, at the Ekoparty security conference last week:

The Samsung Galaxy S III is also among the vulnerable devices but some units have been shown not to be affected. It appears that a recent update has removed the vulnerability. For example, the unlocked international version does not reset when the exploit is run on it. A fix is also reportedly included in the Android 4.1 upgrade that has now begun to be rolled out.

It also appears that the exploit does not work in the Chrome browser, suggesting it could be limited to the stock browser.

One thing is clear: The vulnerability is out there but Samsung appears to be on the case already and busy releasing updates to patch it. Let’s hope that it moves quickly to patch all affected devices and not just its more recent models.

Update: Samsung has issued a statement in regards to this issue:

“We would like to assure our customers that the recent security issue concerning the GALAXY S III has already been resolved through a software update. We recommend all GALAXY S III customers to download the latest software update, which can be done quickly and easily via the Over-The-Air (OTA) service.”

Samsung is also working on a patch for the Galaxy S II but it has yet to issue a statement on the situation for other devices.

Read more: CNET, AndroidPolice and The Verge