Over at the Ekoparty security conference, Ravi Borgaonkar presented a session titled “Dirty use of USSD Codes in Cellular Network”, and what do you think was used for the demonstration?
Samsung Androids with TouchWiz, of all things. The guy demoed how a single line of HTML code can wipe the data on such handsets if you click it, since TouchWiz has a feature that automatically dials a code when a link is tapped.
The same goes for QR scans and NFC - Samsung's TouchWiz UI makes the dialer automatically execute the sequence, which can potentially force a factory reset code onto your unsuspecting phone, and wipe your data. Here is a video demonstrating the theoretical disaster.