Gaping Hole in TouchWiz UI is Wiping Samsung Androids Clean

From DailyTech: One of the biggest Android vulnerabilities to date was discovered this week, but not in Google Inc.'s (GOOG) Android OS itself. The vulnerability was found in Samsung Electronics Comp., Ltd.'s (KSC:005930) TouchWiz UI and allows malicious users to direct unwitting Samsung Android owners to webpages with frames that contain a reset code to wipe their device clean.

Google has long grunted and grumbled about OEMs desire to "skin" Android with custom UI experiences. It originally was looking to kill off the practice, but it has since relented, allowing TouchWiz UI and other custom Android UIs to persist.

The vulnerability in TouchWiz reportedly affects multiple devices including the best-selling Galaxy S II, plus many lesser-known Samsung handsets like the Galaxy Beam. The vulnerability involves sending the code *2767*3855# to the phone's dialer, which triggers a factory reset.

Samsung's Android build allows websites to contain the code which auto-launches a call to a phone number when you click on the pertinent object. Using this vulnerability, the clickable wiping item could be hidden in all manner of website images or links.

Fortunately some newer Galaxy phones (such as the Galaxy S III) have a slightly toned down version of TouchWiz, which will only bring up the number in the dialer app, not automatically initiate the call. Hence while the reset code indeed works, the danger to the owners of certain Samsung phones is minimal given that they would have to accidentally hit the call button after the reset code came up to complete the wipe on those devices.

View: Article @ Source Site