Just to recap, the exploit (disclosed by researcher Ravi Borgaonkar at Ekoparty in Buenes Aires) uses the Android dialer to automatically "call" a USSD code (no user permission required!); the code can be spread through legit-looking URL, an NFC attack, or a malicious QR code. The most threatening USSD code, a factory reset, was specific to Samsung TouchWiz phones and has already been disabled by Samsung. However, there are many other USSD codes that work on different Android devices, though viaForensics's Ted Eull said they aren't so easy to find.
At first we thought the vulnerability involved a combination of the Android dialer and the stock browser, but turns out it has nothing to do with the browser. Mobile security consultancy viaForensics was able to replicate the exploit with Firefox and Dolphin browsers, and concluded that the problem is just the Android dialler. Google has already released an over-the-air (OTA) patch for its own, unlocked Galaxy Nexus devices, which should now all be running at least Android 4.1.1 by now. Mitigation: If you bought your device from a carrier, you are probably still vulnerable to this exploit. Unfortunately there's not much you can do since the only entity that can update your OS is your carrier, which isn't exactly known for timely patching (hello Android fragmentation). But all is not lost!...
Read the linked article at PCMag.com on how to protect your Android phone from this exploit."
Link to Original Source