USSD Exploit Can Lock All Android Phone SIM Cards

While only a certain brand of smartphones was vulnerable to being wiped via an USSD command embedded in webpages, the locking of SIM cards is possible with most any Android phone.

The victim just needs to have the phone access a maliciously-formed “tel:” URI, such as by visiting a web page with an embedded iframe. When the mobile browser loads it, the embedded USSD command (in this case, the PIN or PUK change command) is executed, without need for confirmation from the user.

After a number of attempts using the wrong PUK, the SIM card is locked and requires a new PUK number to be re-activated.

We strongly recommend that Android users install Bitdefender USSD Wipe Stopper, which has been updated to reflect this threat scenario.