An independent security researcher has discovered an absurd flaw that bypasses Android’s passcode to let an attacker gain access to the device’s home screen. Ironically, the passcode is a feature designed to secure the phone and has turned out to be a staggering vulnerability. The exploit affects the latest version of Android’s OS – Android Lollipop.
All Android devices running any version of Lollipop (version 5.0 to 5.1.1, other than build version LMY48M) are vulnerable to a simple hack that bypasses password unlocks used to protect Android devices. The discovery was made by security researcher John Gordon at the University of Texas.
Related article: Simple Android Hack Leaves 95% Devices Vulnerable
The entire published account of the lock screen bypass discovery can be found here.
Here’s how the hack works, as demonstrated by Gordon:
- The phone’s “Emergency Call” can be accessed from the lock screen.
- Typing in a few characters in the Emergency Call dial screen and basically doing a copy of the same to paste it repeatedly will make the entered “string” of characters grow exponentially.
- Gordon repeated this over and again until the phone’s user interface crashes and the phone’s camera fires up.
- Eventually, the camera crashes too, and the phone is unlocked, granting an attacker an easy entry to all applications and data on the phone.
Here is the proof of concept video of the hack in action:
Google was warned of the vulnerability in late June, and the tech giant promptly escalated the severity level of the bug from “low” to “moderate” by mid-July.
Google’s latest build of Lollipop, version LMY48M has patched this substantial exploit, and the updated ROM is available to Nexus devices. The same build also patched the infamous Stagefright vulnerability that affected over 95% of all Android phones and tablets.
While Android’s developers have fixed the issue already, Android devices are notoriously vulnerable due to prolonged update cycles with phone manufacturers and carriers involved in the update release process.
If you are an Android phone owner running Lollipop on your device that isn’t a Nexus, there’s a simple fix. Replace your password-based screen lock with a pin or pattern-based entry and this will take care of the exploit.