Update: Viber contacted us to say they’ve published a version that fixes this flaw. You can find Viber’s Android knowledgebase and download instructions here. [2013-04-26T10:24Z]
Lacking the lightning-fast reflexes needed to get past the Samsung Galaxy Note 2’s lock screen?
Hampered by pesky morality that forces you to forego the placing of bogus emergency calls so as to hack iPhone passcodes?
Not that you should want to do any of that, mind you, but just to pile onto the spate of recently revealed smartphone hijacking methods, a new flaw in Viber allows hackers to more easily bypass Androids’ lock screens than these previous finger-twisters.
Viber, which boasts over 175 million worldwide users and by its own account is growing crazy fast, is a smartphone app for Android, iPhone, Blackberry, Windows Phone and other devices and platforms that lets users call, text, and send photos for free.
Bkav describes the lockscreen bypass as “simple,” though the steps might slightly differ among different phones.
The exploit steps are shown in four videos (one for each handset) on the company’s site. The Samsung version:
The exploit entails a few actions on Viber’s new-message popups, combined with a few other tricks to gain full access to the phone.
Mr. Nguyen Minh Duc, Director of Bkav’s Security Division, says the security hole comes out of the weird way in which Viber handles messages:
"The way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear."
Bkav, which posted a blog about the flaw on Tuesday, says it told Viber about the flaw last week but hasn’t yet gotten a response.
The company suggests that while we wait for Viber to fix the vulnerability, we should keep our smartphones close and out of the hands of anybody, be they friend or foe.
And, of course, as go all security patches so goes Viber: make sure to update the app as soon as a patch is available.