Some mobile phones register the special URIs with the prefix “
tel:” as representing a phone number which should be called. Some also register the USSD protocol, allowing them to do even more with a single command. Unstructured Supplementary Service Data (USSD) is a protocol used by GSM cellular telephones to communicate with the service provider’s computers.
USSD messages are up to 182 alphanumeric characters in length. Unlike Short Message Service (SMS) messages, USSD messages create a real-time connection during a USSD session. The connection remains open, allowing a two-way exchange of a sequence of data. This makes USSD more responsive than services that use SMS.
USSD can be used for many things, one of them allowing also configuring the phone on the network. One special control command allows on certain Samsung phones also to perform a hardware reset of the device.
A typical USSD message starts with an asterisk (*) followed by digits that comprise commands or data. The message is terminated with a number sign (#).
Example of USSD codes:
Combining the special URI mentioned, tel:, with the special codes which perform various functionalities, allows mobile phone providers to provide many functionalities remotely. The user only needs to click on such a link while browsing the special website on the phone.
Unfortunately, this powerful feature got misused and there are some specially crafted websites which have the links to the USSD codes that perform various malicious actions. It works by using the special dial code, for example *#06# to display a phone’s IMEI number, which in turn can be manipulated via SMS, NFC beam, QR codes, or even a malicious website link to lock the phone’s SIM card, or factory-reset the phone and wipe out all its data. In addition, sending a special code can re-direct all calls to a premium number in order to pile up charges on the phone user’s bill without the user knowing.
Because these actions can be even performed without user’s intervention, the only way to block this is to have special programs that register themselves for the “tel:” prefix and filter the USSD codes before being executed.
Avira has created such a filter application which performs the following functions:
- If detected a telephone number, it gives user the option to dial the number.
- If detected a USSD code, it is blocked.
The free Android app is a standalone one, separated from Avira Free Android Security.
In order to install it on your smartphone you need to download it from the Google Play: https://play.google.com/store/apps/details?id=com.avira.android.telblocker
The usage of the App is straight forward – just install it and confirm when you want to actually perform a phone call.
This is the main screen that the user sees once the application is opened:
When you click on a link in a browser (or scan a QR code), Android may open a pop-up dialog with a list of apps that you can choose from to complete the action. Set ‘Avira USSD Exploit Blocker’ as the default, and then select it.
When the user visits a link that tries to execute an USSD code, he may see, depending on the content:
- A screen informing a telephone number is detected and an option to call is provided.
- a warning that the detected USSD code was automatically blocked.
In order to allow legitimate USSD codes the application needs to be uninstalled.
Note: the above screenshots might look on your device a little bit different than here because of the scaling applied automatically by the device itself. You can see in Google Play more screenshots of the application.