Some of you may have recieved an over the air update from your carrier on Samsung Galaxy S III devices. This post is to clear up any confusion as to what that update actually achieved.
The update is being rolled out, and is planned to roll out on other Samsung devices too, so I would be surprised if you haven't gotten an update notification yet.
It patches a flaw that could be used to wipe your handset completely, taking it back to factory defaults, and even a command to change your pin number!
What to do if you did, but didn't apply it:
If you didn't apply the update, either because you were busy or didn't want to set it to download from a 3G connection, I suggest you back up all data, and go back to Settings, About Device, and select Software Update followed by the Update button and let the handset do its work.
Make sure to be connected to a WIFI connection if you are at all worried about carrier 3G costs. The phone will warn you before it starts downloading.
What it is:
The flaw involves the way some Samsung and HTC Android phones handle a 'tel' protocol. A tel protocol is what the phone uses to bring up the dialer when prompted to by either a link, or as I will explain, information in a text message or similar.
If you have ever gotten a text message with some highlighted numbers the phone has recognised as a phone number, and you have pressed it, you may have noticed it brings up the dialer, ready for the number to be saved or called.
Some codes can be used to access functions within the Android system without the need to press the call button.. One of these codes deletes all data and sets it up back to factory settings, wiping all your pictures/numbers (if not stored on the sim or Google), videos, and any other important information you may store on a day to day basis. Whilst another can change your pin number making your device a brick.
Dangerous you say? Yes.
The flaw was found by a hacker, and the flaw could be used against Samsung and HTC Android handsets. A possible attack would simply be as simple as opening up a link on a webpage, or even a text message, which would then cause the dialler to open, run the command and render your device useless until you could find time to sort it all out.
The update renders this useless, so the command will not run from these sources.
Safe Example:
A safe command you can type that will show how you do not need to press the call button is this:
*#*0*#
That code brings up a LCD test menu and is built into Samsung Android devices, where you can test the LCD quality of your device, along with other various tests.
See how you didn't have to press the call button? These types of commands if put in the wrong hands could cause a lot of harm.
Some Samsung Android devices are not affected however due to the carriers blocking this function already, so don't panick just yet.
To test if you are immune, you can run another test from within your phones browser, which is 100% safe. If you are immune it will display either *06# or nothing at all. If however you are prone to an attack, it will display your phones IMEI number, which will not do any damage. It is simply the unique number of your handset:
dylanreeve.com/phone.php
If your IMEI number displays, again, don't panick; Just be very cautious with unknown URL's, NFC, or QR Codes for a while until patches are rolled out by your carriers.
