The issue relates to users been tricked onto going to malicious websites. On the websites users activate a code by clicking on a phone number on the screen (thinking that the number which appears on the screen is a legitimate number).
The types of information which can fool users is described in the ISK blog
(Technical University Berlin). For example:
“Android  supports TEL protocol  to call the desired phone number from the
browser. Invoking TEL:123 intent via any Android app (which has a permission to
make a call) can put a number 123 on the dialer to call.
For example: Call us to contact . After clicking the above link,
Android applications/browsers pre-enter digits 19050000 on to the dial screen without auto-dialing
The fault exists because Android devices cannot differentiate between actual phone numbers and what are called USSD (unstructured supplementary service data) codes. Certain USSD codes can trigger handsets to re-set or wipe its memory card. In this sense the code is malicious, in causing damage, but it does not result in the loss of data or the stealing of personal information.
are normally safe. USSD is a protocol used by GSM cellular telephones to communicate with the service provider's computers. USSD can be used for WAP browsing, prepaid callback service, mobile-money services, location-based content services, menu-based information services, and as part of configuring the phone on the network.
Although all Android devices were potentially vulnerable, the main risk was to Samsung devices, according to the media site DNA
Following a report of several incidents, Google have issued an update
which fixes the problem. According to Silicone Republic
, the over-the-air (OTA) patch came out a little while ago but without any fanfare from Google. The patch will only provide safety if Android users ensure that they have the latest update.