By Alexandra Burlacu | Sep 30, 2012 11:05 AM EDT
Devices using Google's popular Android mobile operating system are at risk of being disabled or completely wiped clean of their data, including contacts, photos, and music.
The security flaw posing the threat was discovered several months ago, but went under the radar until now. Vulnerable devices include handsets made by Samsung, HTC, Motorola, and Sony Ericsson.
According to computer security researcher Ravi Borgaonkar, opening a link to a Web site or a mobile application spiked with malicious code can trigger an attack capable of wiping the memory card in Android-based handsets, rendering the devices useless. Meanwhile, another code capable of performing a factory reset and erasing a user's data seems to target only Samsung phones, including the flagship Galaxy S3.
Borgaonkar said he informed Google of the vulnerability back in June. A fix rolled out quickly and quietly, leaving smartphone owners basically unaware that a problem existed or how they could fix it.
Launched in 2008, the Android OS currently dominates the smartphone market. According to market research firm IDC, nearly 198 million Android smartphones were sold in the first six months of the year, and roughly 243 million Android phones were sold in 2011.
Vulnerable versions of Android include Gingerbread, Ice Cream Sandwich, and the latest Jelly Bean, while the Honeycomb version designed for tablets still needs to be tested, noted Borgaonkar.
Samsung, the biggest Android phone maker, said only early production models of its flagship galaxy S3 were affected, and a software update has already been issued for that model. The company added that it is currently conducting an internal review to check if other devices are affected and determine what action is needed, if any. Meanwhile, Samsung is advising users to check for software updates through the "Settings: About device: Software update" menu.
Borgaonkar explained that the bug works by exploiting phone functions that allow them to dial a phone number directly from a Web browser. A person can create a Web site or an app with codes, instructing the phones linking to those numbers to automatically execute commands such as a full factory reset.
A phone's memory card, i.e. a subscriber identity module, or SIM, can be destroyed remotely in the same manner, added Borgaonkar.
"Vulnerability in Android can be exploited to kill the SIM card permanently by clicking a single click," he noted. "After the successful attack, the end user has to go to the mobile network operator and buy a new SIM card."