New Exploit Bypasses Android Lock Screens
A new exploit can easily bypass the lock screen of Android phones, claims a new report. The bypass can be done on Android phones using versions between 5.0 and 5.1.1, even if encryption is enabled on the particular device.
The University of Texas, Austin, in a report, has revealed the shocking news that the lock screen of Android phones can easily be bypassed using a new exploit. However, the method only works on Android phones that use the OS versions between 5.0 and 5.1.1 and have a password-based lock. This puts the number of Android users at a risk to 21% of the total Android users, which is a huge figure considering the humongous share of Android phones in the market.
The report clearly describes how the hackers can bypass the lock screen of Android devices. The hackers can gain access to the phone settings by swiping left on the screen to open the camera app and then access the phone settings using the notification panel of the device. The option of prompting a user for a password can be seen on the settings page. Unauthorized changes of the password is prevented by requesting the user to add the current password in order to unlock the feature.
However, if the hacker would dump a sufficiently long string of characters in this field, it would cause the handset to crash and return to the home screen, thereby unlocking the phone. After this, any app can be run and developer access can be enabled to acquire complete control of the device and mistreat whatever sensitive data it might hold.
Apart from this there is another method that can lead to the same result, according to the report. The emergency calling feature was used by the study to enter a long string to crash the device. The long list of characters was produced by pasting a short string multiple times, which can be copied and pasted on the password prompt for crashing the device and subsequently bypassing the lock screen.
As much as a shock this report gives to Android users, they can breathe a sigh of relief as Google has been swift in making amends to this anomaly. The developers have started working on a fix for the vulnerability which will be added in the monthly Android security update with build number ’LMY48M’. The same build number handled the Stagefright vulnerability in Android devices.
Although Nexus 4, 5, 6, 7, 9 and 10 have started receiving this update, there could be a sufficient amount of time for hackers to go about their business till the update is made available to all threatened devices. If your device is under threat and you have not received the update, the best you can do is switch to a PIN-based or pattern-based lock:
User must have a password set (pattern / pin configurations do not appear to be exploitable)
Images from Flickr and George Dolgikh / Shutterstock.