Be careful what links you click: A single line of HTML code can wipe the data on certain Samsung smartphones running Google’s Android software.
The issue is specific to Samsung phones that also use the company’s TouchWiz software, says SlashGear, which actually means most of the current Samsung smartphones. Google’s Galaxy Nexus, also made by Samsung, is not affected by the exploit, which was demonstrated by Ravi Borganokar at the Ekoparty security conference…
The short line of HTML code, Borganokar says, can also be executed through an embedded QR code or NFC wireless transfer. Even worse than an unintended factory restore or data wipe, this exploit can render the phone’s SIM card useless.
Some will surely condemn Android as a whole for this issue, but since it’s specific to Samsung’s TouchWiz software — likely as a feature to quickly dial phone numbers by way of links, QR codes or NFC data — the problem is limited to Samsung devices. I’d expect that Samsung releases a patch to disable the automatic phone dialing soon.
Samsung has a patch for the S3 available via OTA update.
As a long-time Android user, however, these security — or insecurity issues, rather — are getting old in general. I mainly use Android devices because they fit my mantra of “use the best tool for the task at hand.” As someone embedded deeply in Google’s world of apps and data, Android simply works better. Even my limits are getting tested though: An open platform that can be endlessly tweaked is great until the wrong folks are tweaking it.
So says Kevin Tofel at GigaOm.
UPDATE: As I noted an update is available for the S3. Kevin expects other models are rolling out soon.