Be careful what links you click: A single line of HTML code can wipe the data on certain Samsung smartphones running Google’s Android software.

The issue is specific to Samsung phones that also use the company’s TouchWiz software, says SlashGear, which actually means most of the current Samsung smartphones. Google’s Galaxy Nexus, also made by Samsung, is not affected by the exploit, which was demonstrated by Ravi Borganokar at the Ekoparty security conference…

The short line of HTML code, Borganokar says, can also be executed through an embedded QR code or NFC wireless transfer. Even worse than an unintended factory restore or data wipe, this exploit can render the phone’s SIM card useless.

Some will surely condemn Android as a whole for this issue, but since it’s specific to Samsung’s TouchWiz software — likely as a feature to quickly dial phone numbers by way of links, QR codes or NFC data — the problem is limited to Samsung devices. I’d expect that Samsung releases a patch to disable the automatic phone dialing soon.

Samsung has a patch for the S3 available via OTA update.

As a long-time Android user, however, these security — or insecurity issues, rather — are getting old in general. I mainly use Android devices because they fit my mantra of “use the best tool for the task at hand.” As someone embedded deeply in Google’s world of apps and data, Android simply works better. Even my limits are getting tested though: An open platform that can be endlessly tweaked is great until the wrong folks are tweaking it.

So says Kevin Tofel at GigaOm.

UPDATE: As I noted an update is available for the S3. Kevin expects other models are rolling out soon.



  1. Oops says:

    Total app developer fail. Or blame it on QA? Who’s in charge?

  2. Peppeddu says:

    It was bound to happen.

    You have a huge code fragmentation in wild, most of them customized down to the core and no easy way to get to it (you have to go thru the carrier first)

    Good luck getting a patch for that.

    Solution, throw away the Android phone and get one with an OS that has a clear support lifecycle.

    • Derek says:

      I know! My EVO 4G is over 2 years old, yet I have Jelly Bean running! You know what I want? I want a manufacturer to tell me when I stop getting updates! That would be COOL!

    • SGS3 says:

      Yea, good luck getting a patch for that! oh, wait, my sgs3 already has the patch on it, and is not vulnerable… won’t be long until it’s on all of them

  3. bobbo, the pragmatic existential evangelical anti-theist says:

    I was thinking of installing the Android OS onto my computer just to play with it for awhile and download the “free app of the day” that is available everywhere.

    Then I thought… why bother. Now I can see I will do it so that I stop thinking about it. About 250 MB–should fit on an open partition I have. I was hoping I could run it within/with Windows.

    Is there an app for that?

    • Derek says:

      youtube.com/watch?v=ltadM2qRmoM

      • bobbo, the pragmatic existential evangelical anti-theist says:

        Thanks Derek: I didn’t find the Virtual Box discussion the first 2-3 times I googled this issue. I’ve downloaded it. 90 MB so its real small. Excellent! I have RAM to spare so thats good too.

        The guy on your link was hard to follow so the side bar had this one which is better for me.

        http://youtube.com/watch?v=FHZn-fdRAJo&feature=related

        Just what I wanted. Will angry birds or tetris be more fun now and why haven’t I found these for Win 7 yet? (free, of course!)

        • bobbo, the pragmatic existential evangelical anti-theist says:

          Looking it over a bit more, looks like all the Android Phone apps work via touch screen controls? I was thinking they would have a key pad that the desktop could use, but I can see how that is not so.

          Will Win 8 with its touch screen OS be any different?

          I’ve been going to buy an Old Iphone just to play music and have a camera. I use Skype for all phone calls.

          Pros and Cons, challenges to every non-standard usage we have. Those first person shooters on the Iphone look second rate compared to computer play.

          Always something. But Virtual Box is new to me. Should be able to use it for something else as well?

  4. pedro says:

    That’s not true. Only MS makes bad code.

    • noname says:

      pedro, I guess you can’t help being completely ignorant, “Only MS makes bad code”. Take your meds!

  5. ECA says:

    For those that dont get it…
    BITS/VIRUS are all you can get…Just wondering the NET..
    yes this is bad for samsung.
    But, consider all the HOLES under windows..

    With ADOBE, FLASH, HTML, and 7 other Markup languages floating around..

    It would be NICE if you goto a site and these Programs started up OUTSIDE(and sandboxed) in another window..NOT under IE or FF or Chrome..

    There are ways to PROTECT your systems, and MS should have done AT LEAST 1/2 of them..MOST protection isnt hard.

    I try to SCARE people abut the net..
    I also ask/instill into them the FIRST RULE(after I install protection) DONT PUSH THE BUTTON…

    I just received a Phishing email.. from my Net company.
    It wanted me to READ a PDF..
    (NO WAY IN HELL)
    so I called up my company, and they told me that OTHERS had found the same email..and it wasnt Theirs.

    I have many stories but wont give them here..

    ALSO for some of you.. MOST MAKERS build in a backdoor to FIX a system. Ask those HARDWARE IDIOTS out thee that mess up a router..

  6. sargasso_c says:

    I now have something to defend myself against the giggling hoards of Android users laughing at my Maps App.

    • Supreme Ultrahuman (I see the comment system is still designed for retards.) says:

      But, if you are using iPhone Maps, can you even find the hoards so they can giggle at you? ;-)

  7. Captain Obvious says:

    Obviously the fix will be pushed to most people’s phone by 2016.

  8. immovableobject says:

    We interrupt the Apple bashing for this brief announcement.

  9. Admfubar says:

    let me inturppt the adroid bashing, this is samsung utility that has nothing to do with android code.. the exploit is in this utility.
    this is the trouble with using no free/non open source code. not enough eyes checking things..

  10. noname says:

    SAMSUNG product quality/reliability sucks, always has!

    Their products have allot of good “me-too” features, good specs and their styling is also good; but, as far as reliability and longevity, SAMSUNG Sucks!

    If first impressions and the purchase experience are all you care about, then SAMSUNG products are for you, you are their target market. If you expect reliability and longevity, buy something else!

    SAMSUNG business model is being only “good enough” with me-too products, which are mostly copy-takeoffs with some added differentiating features. Their products are designed to appear pretty good and be fairly priced and that about it.

    SAMSUNG buys their technology they don’t make or invent it!

    • pedro says:

      Yet Samsung parts are inside the oy!phone. macfans are so funny…

      • noname says:

        Really? For the iPhone 5, Apple has alternate supply sources for parts Samsung was providing, including the screen and memory chip. For the iPhone 5 A6 chip, Apple is switching to TSMC to supply processors from the second-half of 2013.

        So, not only is Apple pushing SAMSUNG out of it’s products, it’s seeking to ban Samsung’s Smartphones from the US Market (just in time for the Christmas rush)!

        Also the Korea Fair Trade Commission (FTC) is investigating Samsung to see if the electronics giant is unfairly competing in the mobile phones market by abusing its dominance in wireless technology patents.

        • The Ox says:

          That sure was a lot of bluster to admit that yes, the iPhone is full of Samsung. That is what you just admitted, all your ranting about “alternative supply” and switches happening in the future aside. It would have been funny if not such a sad illustration of the Cult of Apple mindset. Whatever else it was, it was certainly ironic to see you counter the claim by admitting the fundamental truth of it.

          • pedro says:

            In the electronics world, nobody’s better at shooting themselves on the foot than macfans. Bless their souls.

          • noname says:

            Your definition of “full of” isn’t a very common or even within a reasonable extension of it!

            1 chip out of many, is far from full of it!

            Let me help you out with a example of proper use of “full of”.

            Your “full of” shit and obviously totally ignorant!

            Below is a list of major iphone 5 chips with one being Samsung manufactured A6. The rest are from other chip vendors.

            Apple A6 application processor (Samsung)

            Elpida EDB8164B3 LP DDR2 SDRAM.

            Apple 338S1077 Cirrus audio chip (has Cirrus CS35L19 class-D audio amplifier)

            Murata 339S0171 Wi-Fi module
            (has Broadcom BCM4334, Wi-Fi (802.11 a/b/g/n), Bluetooth 4.0 + HS and FM Receiver)

            Qualcomm MDM9615 LTE modem

            Qualcomm RTR8600 Multi-band/mode RF transceiver

          • pedro says:

            1 I didn’t say full
            2 The Ox went with the word full to mock your poor attempt at denying my premise.
            3 You’re making a bigger macfan (I was gonna say fool but that’s kinda redundant) trying to defend yourself any further; I think you better let it rest

          • noname says:

            Pedro, again you are boldly showing your ignorance!

            I never said, you said “full”. But I will say you are totally full of shit!

            I don’t care why Ox shit is ignorant and why he wrongly said “full”.

            Pedro, just because your ignorant, ignorance doesn’t make you right and you definitely shouldn’t project that onto your bbf Ox shit!

            Despite what you think, ignorance doesn’t make right!

          • pedro says:

            Excellent macfan manifesto nobrain. This is exactly why we laugh so hard at macfans like you

          • noname says:

            “We”, the only “we” you have is yourself and your little pedro, erect again.

            You think I wrote a “manifesto”. You really are awfully ignorant.

            Why don’t you go back to reading your copy of Palacio Nacional de Mexico Communist Manifesto!

  11. BigBoyBC says:

    It’s not a flaw, it’s a feature!

  12. John says:

    I totally agree. This is not really a Android issue. But a apps developer issue who simply did some bad coding. I think the next big malware out break will be on smart phones. Not sure if it will be Apple’s, Windows phones or Android phones. But they are the most vulnerable at this point.

  13. Captain Obvious says:

    You can check your Android since the problem is with the dialer itself. Obviously the problem isn’t just with Samsung phones.

  14. Hollie says:

    All week smartphone users with The Coupons App enjoy this FREE meal at Carino’s Italian Grill. Then take advantage of this 65% coupon savings at Elder-Beerman, 40% coupon savings at Burlington Coat Factory. $10 off at Michaels and 45% at TJX Companies. Free! http://thecouponsapp.com/download