How the hack works
Manufacturers like Samsung use special USSD codes that can be typed into the dial pad by end-users to make it easy for handset makers and telcos to do support over the phone with their customers. One such code - *#06# - is used to display a phone's IMEI number on the screen. Another code resets the phone.
What Borgaonkar discovered was that a person could craft a website with the reset code embedded - in Samsung's case *2767*3855# (do not type this into your phone!) - and get the code to automatically run when a user visited it.
A hacker could also exploit an affected phone by getting a user to scan a malicious QR code or by sending them a malicious SMS or NFC transmission.