Ravi Borgaonkar, a researcher based at the Technical University of Berlin demonstrated how simple 11-digit code string, hidden in a Web page or even a text message, can initiate a reset a phone owner cannot stop, deleting contacts, photographs, music and apps.
Borgaonkar unveiled the security vulnerability at a technical conference in Argentina, Britain's The Daily Telegraph reported Tuesday.
The code can also trigger a factory reset on the Galaxy S2 and other devices that use Samsung's version of Google's mobile operating system, combined with the Korean company's "TouchWiz" interface, Borgaonkar said.
Android phones from other manufacturers seem to be immune and "it's possible to exploit this attack only on Samsung devices," he said.
A Spanish telecoms engineer and security blogger who tested the attack said "what were Samsung engineers smoking when they set a code to do a factory reset?"
"This will hard reset the phone, no user confirmation needed," Pau Oliva said. "Yes, you can remotely wipe any friend's Galaxy S3 now."
Samsung representatives did not respond to requests for comment, the Daily Telegraph said.