As many as 100 million Android users may be exposed to an application flaw that would allow someone to bypass their phones’ lock screens. According to a recent blog post by researchers at Bkav Internet Security, popular over-the-top messaging app Viber, which competes with Skype, contains an error in its programming logic related to the way it handles pop-up messages. The flaw allows attackers to take full control of “all popular brands” of Android smartphones.
An attacker could carry out the exploit by sending a message to the victim, using actions on the message pop-up to make the Viber keyboard appear and exiting out of the keyboard to access the full device. Although the attack varies slightly by brand, researchers confirmed that it would work on phones from Samsung, Sony, HTC and others.
“Exploiting Viber to bypass lock screen of Android smartphones is simple, though it might slightly differ among different phones,” researchers wrote. “Through a few actions on Viber new message popups, combin[ed] with some tricks like using victim’s notification bar [and] sending other Viber messages, [a] bad guy can gain full access to the phone and use any apps, features, etc. on the phone as its authorized user.”
Viber acknowledged the vulnerability in a statement to Ars Technica and said that it plans to release a fix next week. Users can temporarily address the problem by disabling pop-up messages.
The error comes on the heels of several other vulnerabilities that allow attackers to bypass smartphone lock screens, including multiple flaws in Samsung devices and an issue in Apple’s iOS. Viber’s Android customer base is estimated to total between 50 million and 100 million users, according to Bkav, significantly adding to the number of consumers who might have a phone on which the lock screen can be bypassed.
Application programmers can protect their users against such issues by using source code analysis tools that allow them to spot logic errors in development. Instead of potentially compromising the security of millions of users, developers can use static analysis software to catch problems in advance.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.