Viber flaw bypasses lock screen to give full access to Androids

Filed Under: Android, Featured, Google, Security threats, Vulnerability

Update: Viber contacted us to say they've published a version that fixes this flaw. You can find Viber's Android knowledgebase and download instructions here. [2013-04-26T10:24Z]

Viber androidLacking the lightning-fast reflexes needed to get past the Samsung Galaxy Note 2's lock screen?

Hampered by pesky morality that forces you to forego the placing of bogus emergency calls so as to hack iPhone passcodes?

Not that you should want to do any of that, mind you, but just to pile onto the spate of recently revealed smartphone hijacking methods, a new flaw in Viber allows hackers to more easily bypass Androids' lock screens than these previous finger-twisters.

Viber, which boasts over 175 million worldwide users and by its own account is growing crazy fast, is a smartphone app for Android, iPhone, Blackberry, Windows Phone and other devices and platforms that lets users call, text, and send photos for free.

As Softpedia's Eduard Kovacs reports, researchers at Bkav have identified a security hole in Viber that can be exploited to bypass Android smartphones' lock screen and gain full access to the device.

Bkav describes the lockscreen bypass as "simple," though the steps might slightly differ among different phones.

The exploit steps are shown in four videos (one for each handset) on the company's site. The Samsung version:

The exploit entails a few actions on Viber's new-message popups, combined with a few other tricks to gain full access to the phone.

Mr. Nguyen Minh Duc, Director of Bkav's Security Division, says the security hole comes out of the weird way in which Viber handles messages:

"The way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear."

Bkav, which posted a blog about the flaw on Tuesday, says it told Viber about the flaw last week but hasn't yet gotten a response.

The company suggests that while we wait for Viber to fix the vulnerability, we should keep our smartphones close and out of the hands of anybody, be they friend or foe.

And, of course, as go all security patches so goes Viber: make sure to update the app as soon as a patch is available.


, , , , ,

You might like

11 Responses to Viber flaw bypasses lock screen to give full access to Androids

  1. the_programmer · 364 days ago

    Just checked the permissions of viber in the play store and the viber app asks for the permission:
    "DISABLE YOUR SCREEN LOCK
    Allows the app to disable the keylock and any associated password security. For example, the phone disables the keylock when receiving an incoming phone call, then re-enables the keylock when the call is finished."
    So technically it's not an android fault.

    see: https://play.google.com/store/apps/details?id=com...

    • Khürt · 364 days ago

      So not quite a security "flaw" but a use case design flaw.

    • Khürt · 364 days ago

      I don't think the article was suggesting this was an Android OS flaw but an application flaw.

    • Jake · 364 days ago

      Yes but Android should have seen this coming

    • ViberTeam · 363 days ago

      Hi the_programmer -

      The reason Viber asks for this permission is only because it is one of Viber's featuers (it can easily be found in our "More" tab, under Settings).

      This option can be disabled if the user wishes, and by itself it does not pose any threat.

      This way or another, we've already published a fixed version for this security glitch.

      [NB. See the top of this article for update info and a link to the Viber Android knowledgebase.]

      Thanks,
      the Viber Team.

  2. Me123 · 364 days ago

    It might be a good advise somewhere in the text to tell people also to maybe simply disable the popup messages ;)

  3. Jason · 364 days ago

    IpWebcam for android also shares a similar vulnerability where the lockscreen is not displayed at all when the cam is running.

  4. Anand · 364 days ago

    I believe there is a setting in Viber that allows for popups to unlock the screen and that is enabled by default (bad idea). Unchecking that option should mitigate this.

  5. viberteam · 364 days ago

    Hi,
    This is a member of the Viber R&D Team.

    We are researching this issue and we will release an update very soon.
    Meanwhile, as a workaround it is possible to disable the popup for the lock screen. :)

    Thanks for your patience and support!

    Best regards,
    Viber Team

  6. Thanks for the heads up - I popped into Viber settings and switched off the ability to turn off the screen lock and to show a notification pop up

    • ViberTeam · 364 days ago

      Our pleasure to help :)

      We care a lot about our users' security, and as we said - we're working hard at the moment to fix this issue, and release a fixed version soon.

      the Viber Team.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.