Yesterday it was discovered that a simple URL could completely wipe a whole range of Samsung phones. At the time, it was thought that the flaw was part of Samsung’s Touchwiz UI. Although the specific flaw was patched by Samsung, we may not have seen the end of the vulnerability. Dylan Reeve writes that the original flaw isn’t limited to Samsung devices, but is instead the problem comes from the Android dialer itself. Reports show that the HTC One X and the Motorola Defy both have the vulnerability. What’s worse is that the problem was identified and patched three months ago, but Android updates comes so rarely that even high-end phones can still be wiped by clicking on a link.
The vulnerability is still a real concern: even if some phones are patched, it’s easy enough to detect the phone model through browser User Agent and then proceed based on whether the phone is vulnerable or not. And since the vulnerability is present in Android 2.3, which millions of phones are still running, there’s still a lot of targets out there. If you’ve got an Android phone, the easiest way to mitigate the risk is to install another dialer: if someone’s trying to hijack your phone you’ll simply get a “Complete Action Using” dialog.
Again, most Android enthusiasts have big complaints about the way Android is updated. Even if it’s a vulnerability in Android itself, the patch can’t be pushed out unless your manufacturer patches it in their build, and your carrier pushes it to your phone. Beyond having the newest and best software, exploits like this are why having all phones up-to-date are important, and with the current Android supply chain, it’s simply not possible. Maybe this incident will be a wakeup call for Google that Android upgrades need upgrading.