Earlier this week, we were noticed that an USSD vulnerability was discovered in Android. After doing a bit of research, we came to understand the nature of the vulnerability: intents can basically dial a number and start a call without asking confirmation to the user. That could seem harmless at first sight, but it turns out it also works with USSD codes, and some of them are very powerful. This is mostly the case of vendor-specific USSD codes (that are not included in Replicant), which could erase the phone’s user data.
What’s also problematic about this is that web pages can trigger such intents (through an iframe with the
tel: prefix for instance).
Since this vulnerability was present in our Replicant images (although the damage was reduced as we don’t include vendor-specific USSD codes), we decided to include the fix in our code base and release new images. That’s nearly the only new feature of these images (Galaxy S also got a nasty graphic bug fixed).