Vulnerability in Viber for Android Enables Lock Screen Bypass

Another day, another smartphone lock screen bypass vulnerability.

This time a flaw in a popular messaging application for the Android mobile platform is to blame. Viber, which is similar to Skype in that it allows users to make free phone calls and send instant messages, is vulnerable to a flaw that could allow an attacker with physical access to an Android device full control of the phone, according to Bkav Corporation, a California security company.

Viber has been installed between 50 million and 100 million times, the company said on the Google Play store. The app is also available for iPhone, BlackBerry and Windows devices. Bkav did not say whether any of those devices are vulnerable as well.

The alert posted by Bkav said the vulnerability is present on Samsung, Sony, HTC, Google Nexus, and other devices that support Android.

“Through a few actions on Viber, new message popups, combining with some tricks like using [a] victim’s notification bar, sending other Viber messages, [a] bad guy can gain full access to the phone and use any apps, features, etc. on the phone as its authorized user,” the alert said.

The exploit is relatively simple according to Bkav. There are several video examples of bypasses for different handsets, each relying on either a Viber instant message or missed call combined with the use of the Viber keyboard and back button to unlock the phone.

Bkav said it reported the vulnerability to Viber, which has yet to acknowledge it.


A similar vulnerability was discovered in Samsung devices running Android 4.1.2 by a U.K. researcher through the use of the emergency call button and emergency contact list buttons, which causes the home screen to appear briefly allowing an outsider to access any app without having to authenticate via the Android pattern lock or PIN.

In February, two iPhone screen lock bypass flaws were discovered, one in the iOS 6.1 kernel that enabled access to contacts and other data, and another also in the emergency call feature.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • Bilal on

    Thanks for the post. I tried this on Google Nexus 3 but it did not work. Do you know which Nexus version this was tested on ?
  • Omi on

    I tried it on my Samsung S2 and it doesn't work. I think they've already fixed it. Andriod is still a good operating system with a few rough edges. It would be great if they disabled ads on their phones. For those interested here's an interesting read on phone operating systems For those looking to get a good deal on a smart phone you should check this out
  • Mark on

    It is not fixed on a Samsung S3. I received a message, started to reply, then decided to call. I hit the back button and was in the phone without going through the lock screen. I have been able to reproduce this with another message from a different person.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.