android_shot-underfire.jpg (298×299)QR offers can wipe your Phone.


Right! It is possible that if you click on image from mobile camera, your phone may get format.
If you are Android freak and Internet savvy, then you are Vulnerable to this attack: "TELpic". TELpic is a malicious technique of tricking an android user into reading a QR code through mobile camera, thus potentially directing an android user to some malicious URL. Not only redirection, this threat is capable of executing USSD (Unstructured Supplementary Service Data) code, a vendor specific command. USSD codes are capable to read owner's IMEI, & other phone specific details, these USSD commands can be used to restore mobile to factory settings: thus deleting all assets in your mobile device. It is a Mobile phone security issue that spans across a variety of Samsung Android mobile devices (running anything below Android 4.1.x also known as Jelly Bean / Ice-Cream Sandwich [Latest versions]).

Figure illustrating how a QR code redirect user to malicious page which in turn restore user’s mobile to factory settings.
TELpic takes the form of embedded code that execute with the user's knowledge, such as opening browser that appears to perform another action using “TEL” URI scheme.
TELpic uses the Android dialer to automatically "call" a USSD code (no user permission required!); the code can be spread through a catchy URL, a "Near field communication" attack, or a QR code, where Malicious QR code is in fashion.
This Vulnerability appears to exist within both the Samsung dialer and Android browser. Unlike most mobile vendors, Samsung mobile automatically makes the call while others still require the user to hit "send" like in Iphone or other Multimedia Mobile Phones.  There are plenty of devices that are vulnerable to this threat;, though experts say the Galaxy S III devices has been patched. Researchers at Google have already released a patch for its Galaxy Nexus devices, which should be running by now.
The most threatening USSD code, a factory reset, was specific to Samsung phones and has already been disabled by Samsung for new phones. However, there are many other USSD codes that work on different Android devices.
Antidote:
If you have Samsung Android enabled device, you are probably still vulnerable to this exploit. Here is a antidote to increase your mobile immunity.
  1. First, test if your mobile is even vulnerable. Open (http://mobtest.indianhans.org) from your mobile phone's browser. If you can see your IMEI, this vaccine is for you.

Figure illustrating how users can check whether there mobile is vulnerable to TELpic attack or not.
2. Install a dialer other than a default one, which will stop the automatic execution of any USSD code. Dialer One and exDialer are free, easy to use, and can be found in Google Play. After you install your new dialer, take a test mention at step one again.
For future, we at Anti Hacking Anticipation Society lab working to create a universal Keypad that can seals such attacks before it hampers victim’s mobile.

Author's Bio 
Rishi Aggarwal & Taufique Azad
Anti Hacking Anticipation Society – HANS
 
Top