How Android handles sharing, and why bad websites can wipe your phone this way

First, if you have not heard about it yet, if you have not a complete uptodate S3 or a Nexus device, install NoTelURL to be safe.


Anyway, how does Android handle sharing and how does that relate to the issue above? Roughly:

• Whenever an app wants to share something, it packs up the data (image, url, whatever) into a data structure called Intent, and basically hands it over to Android to handle it.
• Android figures out which apps have declared that they can handle the specific Intent, and if it's only one, it hands the Intent over. If not, it offers an user menu to choose which app should handle it.
• The receiving app handles the sharing.

Generally speaking this stuff is usually called decoupling, and it's a good thing, because the sender is strongly decoupled from the receiver, and errors in one of these usually don't affect other parts of the system.
Btw, that's also why at least for a long time, if you had more than one Browser installed on your device, pressing a link caused also such an Intent being sent, and the user was "happy" to be able to choose which browser to use on every click. Sigh. Nowadays browsers tend to handle links that they can handle internally to handle internally.
Now a tel: url is meant to allow a webpage to dial a number on your phone. E.g. search results for a take out can als include a Call button so you can order directly without copying/pasting the number manually.
Now, USSD codes are special phone numbers that can be used perform special functions. Some manufacturers also included their own extensions like "reset to factory"
And before Android 4.1.1 the default dialer, when presented with tel: containing Intent just dialed it without any further user interaction.
Ooops, combine that with USSD codes or even just expensive numbers to call, and you end up with a problem.
NoTelURL handles that by offering an alternate "dialer", and that's where you need to rely on the user, if the user has not pressed a Call button in the browser, you probably should choose it to handle the unexpected phone number. If you wanted to Call a number from the browser, select Phone.