I have followed with interest the discussion on the ingenious Ecocash Droid app and how it was swiftly disabled by Econet. I was quite frankly amazed by some of the vitriol that was spewed at Econet by some disgruntled commenters. Though I applaud Gedion for taking initiative and coming up with a way to ease the pains of USSD, I must also point out that security should trump convenience, especially when you’re dealing with people’s money.
For starters, even though the developer states that the app does not store a user’s pin, we cannot know with certainty that it doesn’t. I’m not saying it is, but for what we know, this simple disclosure may actually be a nifty social engineering trick to get users to drop their guard and willingly provide their pin codes. Anyway, let’s assume the app does indeed store the user’s pin and mobile number. This is a major security breach, well, half the story at least. Many of us assume, wrongly of course, that even with these details, a person with malicious intent cannot do much harm without actual physical access to the mobile device. How wrong we would be!
PC Desktop HDD wanted
Lenovo ideapad 100-15IBD
Airpods pro 4
There’s something that’s known as a Remote USSD Exploit that some Android devices have been shown to be vulnerable to. There is a YouTube clip featuring Ravi Borgaonkar where he demonstrates how you can remotely execute USSD code on a Samsung Galaxy S3. The execution of the USSD can be triggered through a variety of means including SMS, the web browser, QR codes, NFC etc. in the demo, Ravi basically performs a USSD factory reset on the Samsung S3 without any user interaction. This little exploit shows us that it is possible to manipulate a phone’s USSD remotely without the participation of the user. And in this, we have the second part of the puzzle!
Now, assuming our malicious user is in possession of your mobile number and your PIN code, and you have a phone that is vulnerable to the remote USSD exploit; what’s to stop him from wiping all the money in your account and sending it to some unregistered number somewhere?
In this article, I sought to demonstrate some of the security vulnerabilities that we may many times overlook if we focus only on the convenience aspect of technology, without due care on the security side.
By the way, to test if your Android device executes a USSD code without dialing, you can do it here.