The popular Skype for Android application was recently discovered to pack a security bug that could result in a phone’s lock screen to be bypassed, thus offering full access to the handset.The issue was found in version 220.127.116.1173 of the application, and is said to have been already tested on phones such as Sony Xperia Z, Samsung Galaxy Note 2, and Huawei’s Premia 4G.
According to XDA-Developers member Pulser (in a recent article on seclists), the vulnerability can be exploited through the use of two Android devices, each with a Skype account up and running on it.
The target Android smartphone should have a lock screen configured and enabled to replicate the vulnerability.
“The Skype for Android application appears to have a bug which permits the Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily, if the device is logged into Skype, and the ‘attacker’ is able to call the ‘victim’ on Skype,” Pulser explains.
To exploit the vulnerability, one would have to call the target handset from the second device, via Skype, which will cause the former to display a prompt on the screen to answer or reject the call.
The call should be answered to on the target device using the green button, and then ended on the initiating phone, which will leave the former displaying the lock screen.
To bypass it, simply turn off the target phone’s display by pressing the power button, and then turn it on again. The lock screen should be bypassed until the handset is rebooted, said article explains.
Apparently, a similar bug was discovered a few months ago on Viber, another popular VoIP application on Android.
Earlier this week, Skype for Android was updated to version 4.0, not long after passing the 100-million mark, providing users with a redesigned interface and important performance improvements over the previous versions.