Another day, another smartphone lock screen bypass vulnerability.
This time a flaw in a popular messaging application for the Android mobile platform is to blame. Viber, which is similar to Skype in that it allows users to make free phone calls and send instant messages, is vulnerable to a flaw that could allow an attacker with physical access to an Android device full control of the phone, according to Bkav Corporation, a California security company.
Viber has been installed between 50 million and 100 million times, the company said on the Google Play store. The app is also available for iPhone, BlackBerry and Windows devices. Bkav did not say whether any of those devices are vulnerable as well.
The alert posted by Bkav said the vulnerability is present on Samsung, Sony, HTC, Google Nexus, and other devices that support Android.
“Through a few actions on Viber, new message popups, combining with some tricks like using [a] victim’s notification bar, sending other Viber messages, [a] bad guy can gain full access to the phone and use any apps, features, etc. on the phone as its authorized user,” the alert said.
The exploit is relatively simple according to Bkav. There are several video examples of bypasses for different handsets, each relying on either a Viber instant message or missed call combined with the use of the Viber keyboard and back button to unlock the phone.
Bkav said it reported the vulnerability to Viber, which has yet to acknowledge it.
A similar vulnerability was discovered in Samsung devices running Android 4.1.2 by a U.K. researcher through the use of the emergency call button and emergency contact list buttons, which causes the home screen to appear briefly allowing an outsider to access any app without having to authenticate via the Android pattern lock or PIN.