Sophos Cloud Optix
Update: Viber contacted us to say they’ve published a version that fixes this flaw. You can find Viber’s Android knowledgebase and download instructions here. [2013-04-26T10:24Z]
Lacking the lightning-fast reflexes needed to get past the Samsung Galaxy Note 2’s lock screen?
Hampered by pesky morality that forces you to forego the placing of bogus emergency calls so as to hack iPhone passcodes?
Not that you should want to do any of that, mind you, but just to pile onto the spate of recently revealed smartphone hijacking methods, a new flaw in Viber allows hackers to more easily bypass Androids’ lock screens than these previous finger-twisters.
Viber, which boasts over 175 million worldwide users and by its own account is growing crazy fast, is a smartphone app for Android, iPhone, Blackberry, Windows Phone and other devices and platforms that lets users call, text, and send photos for free.
As Softpedia’s Eduard Kovacs reports, researchers at Bkav have identified a security hole in Viber that can be exploited to bypass Android smartphones’ lock screen and gain full access to the device.
Bkav describes the lockscreen bypass as “simple,” though the steps might slightly differ among different phones.
The exploit steps are shown in four videos (one for each handset) on the company’s site. The Samsung version:
The exploit entails a few actions on Viber’s new-message popups, combined with a few other tricks to gain full access to the phone.
Mr. Nguyen Minh Duc, Director of Bkav’s Security Division, says the security hole comes out of the weird way in which Viber handles messages:
"The way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear."
Bkav, which posted a blog about the flaw on Tuesday, says it told Viber about the flaw last week but hasn’t yet gotten a response.
The company suggests that while we wait for Viber to fix the vulnerability, we should keep our smartphones close and out of the hands of anybody, be they friend or foe.
And, of course, as go all security patches so goes Viber: make sure to update the app as soon as a patch is available.
Just checked the permissions of viber in the play store and the viber app asks for the permission:
"DISABLE YOUR SCREEN LOCK
Allows the app to disable the keylock and any associated password security. For example, the phone disables the keylock when receiving an incoming phone call, then re-enables the keylock when the call is finished."
So technically it's not an android fault.
see: https://play.google.com/store/apps/details?id=com…
So not quite a security "flaw" but a use case design flaw.
I don't think the article was suggesting this was an Android OS flaw but an application flaw.
Yes but Android should have seen this coming
Hi the_programmer –
The reason Viber asks for this permission is only because it is one of Viber’s featuers (it can easily be found in our “More” tab, under Settings).
This option can be disabled if the user wishes, and by itself it does not pose any threat.
This way or another, we’ve already published a fixed version for this security glitch.
[NB. See the top of this article for update info and a link to the Viber Android knowledgebase.]
Thanks,
the Viber Team.
It might be a good advise somewhere in the text to tell people also to maybe simply disable the popup messages 😉
IpWebcam for android also shares a similar vulnerability where the lockscreen is not displayed at all when the cam is running.
I believe there is a setting in Viber that allows for popups to unlock the screen and that is enabled by default (bad idea). Unchecking that option should mitigate this.
Hi,
This is a member of the Viber R&D Team.
We are researching this issue and we will release an update very soon.
Meanwhile, as a workaround it is possible to disable the popup for the lock screen. 🙂
Thanks for your patience and support!
Best regards,
Viber Team
Thanks for the heads up – I popped into Viber settings and switched off the ability to turn off the screen lock and to show a notification pop up
Our pleasure to help 🙂
We care a lot about our users' security, and as we said – we're working hard at the moment to fix this issue, and release a fixed version soon.
the Viber Team.