Read message from USSD Android code

This link talks generally about the subject:

Where is the security breach?

To execute a USSD code, you must insert it on your phone’s keyboard and press "Connect". What Borgaonkar discovered is that this code automatically runs in the background, without the user noticing that the action is happening.

For this, he used a feature that belongs to the standard smartphone repertoire: the browser link with the phone application (the dialer). That is: If I type in the browser a phone number will directly open the phone application with the number and we just need to click "Call" to run the process. This requires an HTML code:

<a href="tel:xyz">Clique aqui para ligar diretamente</a>

Now we can perfectly replace the phone number "Xyz" by the USSD code as *2767*3855#, easily. Using our example would look like this:

<a href="tel:*2767*3855#">Clique aqui para ligar diretamente</a>

The above command assumes, however, that the user clicked on a link, so that the phone application starts. Borgaonkar incorporated this command into a frame, which looks like the structure below:

<frameset><frame src=“tel:*2767*3855#" /></frameset>

If this structure is placed on a website, any phone that accesses this page will immediately call this number, without further security investigation. However, this is not the problem, because when I go to a malicious type site with my smartphone, the phone app opens, but I explicitly have to tap "On" to make something happen and perform an action.

The security flaw is that some smartphones do not require certain interactions with the user. Instead, the call is immediately executed at the bottom. And if this background call hides a corresponding shortcut to an USSD code, that’s where the problem lies. In Borgaonkar’s demo it means that the Galaxy S2 can visit a malicious site and immediately start the factory reset without the user knows what is happening.

Reference:

http://www.androidpit.com.br/ussd-exploit