Experts from security firm Bkav have identified a vulnerability in Viber – the popular application that allows users to make calls, send text messages and photos for free. The security hole could be exploited to bypass the lock screen on Android smartphones and gain full access to the device.
According to the figures from Viber’s website and Google Play, as many as 100 million users might be impacted by the issue.
So how does the attack work?
There are three main steps:
1) Send a Viber message to the victim;
2) Make the Viber keyboard appear on the targeted device by performing some actions with message pop-ups;
3) Once the keyboard has appeared, a missed call must be created or the “Back” button must be pressed.
At this point, the lock screen should be unlocked, giving the attacker complete access to the device.
This third step depends on the targeted device. On HTC Sensation XE, a missed call must be created at step 3 to unlock the screen, while on Samsung Galaxy S2, Google Nexus 4 and Sony Xperia Z, the Back button must be pressed.
“The way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear,” noted Mr. Nguyen Minh Duc, director of Bkav's security division.
Viber was notified by Bkav regarding the vulnerability last week, but so far, the security firm hasn’t received any response.
Since this is a local attack, users can protect themselves by making sure they don’t let their devices out of sight. If Viber addresses the issue, make sure to update the app to the latest variant.
Update. Viber representatives state that an update has been released to address the issues identified by Bkav. The updated variant of the app is available for download here.
Check out the POC videos released by Bkav for Nexus 4, Xperia Z, Galaxy S2 and Sensation XE: