It is already known for a while that some Android based devices do not only support the “official” USSDs (Unstructured Supplementary Service Data), also known as “GSM codes”, like
*#06# to display the IMEI, but also accept much more powerful commands this way – like resetting the device including a total erasure of all data or modifying the PIN/PUK of the SIM card!
Please also mind the update at the end of this article.
Since the Android browser will pass URLs automatically as a phone call to the system, if they start with
tel:, it is also possible to embed such USSDs in web sites and therefore make many devices execute an action without further affirmation by the user – for example by using an IFRAME element which is loaded automatically by the browser. Besides devices by Samsung also many devices by HTC, Sony, Huawei and probably other manufacturers as well are concerned by this problem.
Until the manufacturers provide suitable updates, you can help yourself with the app “NoTelURL”. See https://play.google.com/store/apps/details?id=com.voss.notelurl or as QR code:
Update 2012-09-29: Meanwhile there is also an alternative app, which does not just block everything completely but shows the number and allows to forward the number to the dialer, so you can still use “good” numbers, see https://play.google.com/store/apps/details?id=org.mulliner.telstop or as QR-Code: