A vulnerability in Skype’s Android application could enable an attacker to bypass the lockscreen on some Android phones, giving them full access to the device if it’s in their possession.
According to Pulser, a moderator at the popular Android forum XDA Developers, the bug is in Skype version 18.104.22.16873 and has been tested on the Sony Xperia Z, Samsung Galaxy Note 2 and Huawei’s Premia 4G-all Android devices.
“The Skype for Android application appears to have a bug which permits the Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily,” Pulser wrote Monday in a post on the Full Disclosure mailing lists.
The exploit isn’t the easiest to execute, as it involves having access to two separate devices with two separate Skype accounts installed and running.
For those prodigious enough though, the hack can be initiated by calling the victim’s phone, which will cause it to wake, ring and display a Skype prompt on the screen. By accepting the call on the victim’s phone and ending the call on the initial caller’s phone, the lockscreen should pop up on the targeted phone.
Next, the attacker has to turn the phone off and turn it back on and the lockscreen will be bypassed. According to steps laid out by Pulser, “the screen will remain bypassed until the device is rebooted.”
The news comes a day after the company pushed version 4.0 of its Android app and on the heels of news this week that the app has been installed on its 100 millionth device worldwide. E-mail requests for comment to Skype on Tuesday were not immediately returned.
The flaw is similar to a vulnerability that was discovered earlier this spring but since patched in Viber, which like Skype, is a VoIP app that allows its users to send free calls and messages. In Viber, all an attacker had to do to gain access to the phone was send a user a message and combine a series of actions to exploit the way the app handles popup messages.
Researchers have been especially committed to digging up lockscreen bypass flaws as of late. Earlier this year, iPhone users found flaws in iOS 6.1 and the beta version of iOS 7 that could allow an attacker to bypass the screen lock on Apple’s iPhone.