USSD attacks

  • 23 October 2012
  • 5 replies

Userlevel 7
There was quite a big buzz recently about USSD attacks hitting Android devices. Therefore I have a simple question. Can WSA Android (Free, Premier and Complete) protect against these attacks?
Thanks & regards,

Best answer by Roloc 24 October 2012, 17:37

View original

5 replies

Userlevel 7
I will reply myself ;)
Yes, WSA protects against USSD attacks by means of Webroot Dialer Shield. Nevertheless if you choose the in-built phone dialer, you are vulnerable! I will elaborate a bit ... 
First of all, you can test vulnerability of your Android device on Dylan Reeve web page.
If you go on the test page in your in-built Android browser or in Webroot SecureWeb you will get a prompt to choose either the phone's dialer or Webroot Dialer Shield. If you choose Webroot Dialer Shield you will get a warning confirming the malicious attempt was blocked. That's fine and correct.
HOWEVER, if you opt for the phone's in-built dialer you will get IMEI of your Android device what eventually proves vulnerability!
The main problem is that a user has an option to choose between the phone's dialer and Webroot Dialer Shield. If you follow the Webroot Dialer Shield you are safe but if you follow the phone's dialer you are vulnerable. Therefore there shouldn't be ever possibility to rely on a user interaction and WSA should block USSD attacks directly without having asked a user for its option.
I SHOULD POINT OUT, though, that getting the option to choose the phone's dialer or Webroot dialer might be down to settings applied on my HTC Desire S. I have set to always ask what application I want to run if there are more available applications than one.
To be thorough, I should also say that when trying the test page in Opera mobile I am not getting any prompt or IMEI directly. So, it means that even if Opera isn't supported by WSA, he cannot handle such remote USSD attacks so in fact you are safe with Opera too.
Userlevel 7
Badge +4
Wow. A question AND an answer? You should get double kudos for that.
Userlevel 7
Thanks CatB ;)
However I would like to hear comments from Webroot techies to my findings as regards the prompt to choose either the phone's dialer or Webroot Dialer Shield because in this scenario it looks like being a security hole in protection!
Userlevel 3
Hello there,
We jumped on that USSD attack and put in the fix that you were speaking about.
The issue is that the Android operating system gives them the option, not us.  The browser is requesting a dialer and then prompts the user for which dialer they want to use.  This is all internal to Android. Obviously this could be totally normal behavior if you click on the phone number that you want it to dial, say ordering that pizza from a site.  
However in this attack it is hard to discern what is normal behavior and what isn't.  
So in short yes use our dialer especially if you aren't specifically clicking on a number you want to dial and we will look into if there are other ways to block this attack.  
A better answer in the future is to select our dialer and then say use "always".  All our dialer does is make sure the number is clean before passing it to the stock Android dialer. 
Userlevel 7
Thanks Steve for the explanation!