Ekoparty security conference in Argentina last week, that how a single line of HTML code could be used to run a factory reset or even clear the SIM card on certain Samsung phones.
Malicious hackers can hide a code in a web page that will trigger a full factory reset of Samsung's best-selling Galaxy S3 smartphone, deleting contacts, photographs, music, apps and other valuable data.
The devastating flaw lies in Samsung's dialling software, triggered by the tel protocol in a URL. It isn't applicable to all the company's Android handsets, but those that are vulnerable can have their PIN changed or be wiped completely just by visiting a web page or snapping a bad QR code, or even bonking up against the wrong wireless NFC tag. The tel protocol is generally used with phone numbers to provide clickable "call me" links on websites: tapping on the hyperlink in the handset's web browser opens up the dialling software and calls the number contained in the link.
Samsung is currently looking into the issue further, and details are still coming out about which devices are affected. For the time being, however, it appears that only Samsung phones running TouchWiz are susceptible (so not the Galaxy Nexus or any device running stock Android), and only if the malicious URL is loaded in the stock browser, rather than Chrome. The current fix for the issue is to disable automatic site loading in QR and NFC readers, and be careful about clicking potentially dodgy links.