A note on the new USSD code protection feature

I’m glad that avast! now protects against USSD codes sent via web pages (i.e. URIs), but it doesn’t protect against USSD codes coming from other apps. This is easily proven by sending a USSD code from an app such as Ray Dialer. Just enter the USSD code *#06# in Ray Dialer, and tap the phone icon. The app USSD Blocker stops it, but avast! Mobile Security does not. (Unimportant sidenote: Ray Dialer does not send the USSD code successfully. The example I used won’t even display the IMEI code properly. I think this is because Ray Dialer uses the CALL method, rather than CALL_PRIVILEGED. But it’s rather irrelevant, as Ray Dialer is simply a stand-in for a malicious app.)

I know some will respond that avast! should catch malicious apps before a USSD is sent. Please. That assumes the malicious app is recognized. It’s obviously more reliable to simply block all potentially malicious USSD codes, regardless of where they come from.

I’m keeping USSD Blocker installed.

Thanks for posting. I have GData USSD blocker and, for your tests, seems we should keep it (at least, for a while).

avast! has released an update for avast! Mobile Security yesterday or today to prevent this as well. Check the Google Play, i’ve updated it today…

Thanks, but the update you refer to is the one that introduced URI-based USSD blocking; it still doesn’t block USSD codes that may come from apps.

I realize that URI-based USSD protection is more important, but I think it’s still important to filter those coming from other apps as well. And I’d be more comfortable using avast! for this than some random Android developer.

hi, the USSD codes sent by CALL / CALL_PRIVILEGED command do not have any effect on the phone. The dangerous codes are actually not being CALLED, it is handled directly within the dialer without issuing any call. So the only way a harmful app can do damage is actually to open the dialer to view the USSD code - if such things are being sent, it is blocked by avast!.

So, right now, it’s not necessary a suplementary app to be protected? Is avast! doing ALL the job?

yes thats the cool thing :slight_smile:

Thanks. Uninstalling it then right now.

There’s a misunderstanding here somewhere. Apps can send USSD codes to the native dialer, and either make it dial that USSD code (Ray Dialer causes the native Phone app on my Motorola to do this) or make that USSD code execute from the dialer (Dialer One makes my Phone app do this; for example, it successfully makes the IMEI display if I send #06).

If these third-party dialer apps can make USSD codes in the native dialer, a malicious app could, too.

The only reason I mentioned that Ray Dialer makes my stock dialer “call” is that it’s a bit screwy for a dialer to send a USSD code the wrong way (from what I gather, it’s necessary to use CALL_PRIVILEGED to make the USSD code run, rather than be treated like a regular call), but it was still helpful in my testing of the USSD Blocker app. Other third-party dialers DO make the stock dialer execute the USSD code. Dialer One does, for example. There are many others.

If the IMEI can be made to display after *#06# is sent, the vulnerability could be exploited. This is the standard means that has been used as a proof of concept for this problem. I can trigger an IMEI display from a test web page (using an Android browser that doesn’t block the USSD code on its own). I can also trigger the IMEI display from an app. Yes, when I do this, I’m manually entering the USSD code (in Ray Dialer or Dialer One, for example). But a malicious app could send a USSD code in the exact same way.

Or am I missing something?

hi, in your first post you said that ray dialer doesnt actually succeed. thats as i know it. CALL_PRIVILEGED is a feature that is not available to 3rd party apps, but only to the system itself.

Yeah, Ray Dialer doesn’t seem capable of handling USSD codes properly. But other dialers I tried were able to send them to the native Phone app successfully. The author of USSD Blocker thinks this can be exploited (not by these dialer apps where the user manually enters the USSD code, but by malicious apps, of course). I’m not sure he’s right, but I’m playing it safe for now. I’m feeling a bit confused, quite honestly.

the malicious USSD codes (e.g. for wiping the phone) need to go through the native dialer and are actually NOT calls (handled within the dialer directly) and are catched by our implementation. this means a) that by catching outgoing calls they can not be prevented (this is the way USSD blocker does this) and b) in all other cases (where the native dialer implementation is used without user commit) avast! Mobile Security will catch it. We will probably block non-critical USSD commands as well in the future though but need to research on the unwanted side effects of this before doing so.

USSD Blocker intercepts calls going from one app to the native dialer. When I do this in testing (send a USSD to the native dialer), an app chooser dialog appears. USSD Blocker is listed on that chooser (along with the native dialer). Avast is not listed. I don’t see how avast can block them because of this.

How exactly are you testing it?

Filip

The question is: does the dialer (if you do not choose ussd blocker) then AUTOMATICALLY execute the ussd code WITHOUT ANY user interaction?

it could be the .CALL and .DIAL intent problem, but still, you have to do this one by one, so avast is catching it.

Hi all!!

First of all, avast! its an wonderful product, i’m very glad that it is free, thank you!

I’m here to get help on USSD question and give my contribution.

After read this article about USSD flaw:
http://www.pcworld.idg.com.au/article/437505/how_check_your_android_phone_vulnerable_ussd_security_flaw/#c1212999

I have made this observation:

Frans Muniz Thu 18/10/2012 - 15:55
LG Optimus 3D - P920H / Android 2.3.5
Android Default Browser - runs the script and IS INFECTED - show IMEI (1) (2)
Maxthon Browser as default - don’t run the script, so its safe to use (3)
Observations:
(1) before default browser run the script the system ask to me an default application to run it, the options are: avast! Number Validator, SMS Messenger or Phone Dialer. In other words, the script only runs if you clicked on “Phone Dialer” option.
(2) avast! is installed but don’t catch this flaw… apparently…
(3) my preferred browser is Maxthon and its set as complete default with an app called Default App Manager Lite, so this is my suggested workaround to avoid the problem
Maxthon at Google Play:
https://play.google.com/store/apps/details?id=com.mx.browser#?t=W251bGwsMSwxLDIxMiwiY29tLm14LmJyb3dzZXIiXQ
Default App Manager Lite at Google Play:
https://play.google.com/store/apps/details?id=com.appiator.defaultappmanager#?t=W251bGwsMSwxLDIxMiwiY29tLmFwcGlhdG9yLmRlZmF1bHRhcHBtYW5hZ2VyIl0.
Hope help someone.
Cheers from Brazil!

So. my questions are:
I am secure with avast! or not?
I need to install another application to help with this flaw?

Obs: My avast! its fully updated, anti-theft too.

Thanks a lot.
Cheers from Brazil!

regarding 2) you have to select avast! Number Validator to scan (you can choose “Use always”)
regarding 1) see above + there is no other way of doing this

Thanks brother!
:smiley:

well this USSD blocker sucks for me. i can make USSD commands via the stock dialer. but i dont use the stock dialer. almost all networks services need me to use USSD codes… (in india almost every GSM network needs it’s customers to subscribe/activate services via USSD codes i.e to check prepaid balance, data usage etc.) so we r very dependent on USSD … n i can’t seem to be able to disable USSD blocker. :frowning:

Update:- Ok i found that all USSD codes dialed into the new dialer (exdialer) were being auto-routed to the stock dialer and this was somehow detected by avast and blocked. when i disabled the the routing of USSD to stock dialer (in exdialer settings) then exdialer was able to execute the USSD codes by its own :slight_smile: b ut i still wish USSD block was an optional feature. as i feel i don’t need it.