Update your Samsung Galaxy S III now or you might lose all of your data

Do you have a shiny new Samsung Galaxy S III smartphone? Does it contain precious information like contacts, calendar events, music, or photos that you don’t have backed up somewhere else? If so, you might want to avoid visiting any websites until you get the latest update from Samsung.

A security researcher revealed a little trick last week that puts Samsung Galaxy S III data at risk. Embedding a simple 11-digit string of characters and symbols in a Web page is enough to cause a Galaxy S III smartphone that visits the website to trigger a full factory reset of the device. All contacts, photographs, music, apps, and any other data will be erased.

The Samsung Galaxy S III runs on Android, but apparently the issue is unique to Samsung’s TouchWiz interface that it overlays on the core Android OS. According to a report from The Verge, other Samsung smartphones that use the TouchWiz UI—like the Galaxy SII or the Galaxy S—are also at risk.

Now that the code has been revealed, it’s being circulated online. Attackers can easily find out what the magic code is, and craft malicious websites that can erase Samsung smartphones in an instant. Once the code is entered, and the remote wipe is launched, there is no way to abort the process.

You should have some sort of cross-device security tool in place for your PCs, smartphones, and tablets. It’s possible that security software might be able to detect and identify malicious websites to warn you to avoid them, and help you protect your data from being wiped out by an attack like this.

Of course, if the attack is too new and the security vendors haven’t yet updated the security tools to identify the new threat, it’s possible that an attack like this could still slip through the cracks. For those situations, it’s also important to use common sense, and exercise a little discretion before clicking on links or visiting shady websites.

This scenario illustrates one of the tradeoffs customers accept when using a device with third-party skin overlaid on the Android OS. Samsung’s TouchWiz UI, Motorola’s MotoBlur UI, HTC’s Sense UI, and similar tools add unique features and functionality not found in the core Android OS, or on rival Android smartphones. However, these tools can also introduce vulnerabilities, or expose customers to threats that also don’t impact the core Android OS or competing Android smartphones.

Samsung has reacted quickly to the problem, and has developed an update to address it. Samsung issued a statement announcing a software update for the Galaxy S III, and recommending that customers use the OTA (over-the-air) update service to download and apply the patch as soon as possible.

However, the update is still being pushed out, so many users are reporting that there Galaxy S III still says there’s no update available. Also, there’s no acknowledgement or confirmation yet regarding the impact on other Samsung TouchWiz UI devices, or when or if an update can be expected for them.

[Update: Further research indicates that the issue is, in fact, Android itself. The behavior has been replicated on Motorola and HTC smartphones as well, and seems to be a function of the Android dialer in older versions of the Android OS. The bug was fixed earlier this year, but smartphones that have not been updated may still be affected. A website was set up to help you determine if your Android smartphone is vulnerable or not.


Users who applied the update from Samsung for the Galaxy S III are safe. This new information moves the blame from third-party interfaces back to Android itself, however, users should still be aware that unique, custom interfaces can still potentially introduce unique, custom risks, and the burden is on the user to exercise caution and employ the appropriate security measures.]

For comprehensive coverage of the Android ecosystem, visit Greenbot.com.

Subscribe to the Security Watch Newsletter