Skype is a very popular tool used throughout the manufacturing automation sector, but watch out for a vulnerability in an Android application.
A vulnerability in Skype’s Android application could enable an attacker to bypass the lockscreen on some Android phones, giving them full access to the device.
The bug is in Skype version 126.96.36.19973 and researchers tested it on the Sony Xperia Z, Samsung Galaxy Note 2 and Huawei’s Premia 4G-all Android devices, said Pulser, a moderator at the Android forum XDA Developers.
“The Skype for Android application appears to have a bug which permits the Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily,” Pulser wrote in a post on the Full Disclosure mailing lists.
The exploit isn’t the easiest to execute, as it involves having access to two separate devices with two separate Skype accounts installed and running.
The hack can start off by calling the victim’s phone, which will cause it to wake, ring and display a Skype prompt on the screen. By accepting the call on the victim’s phone and ending the call on the initial caller’s phone, the lockscreen should pop up on the targeted phone.
Next, the attacker has to turn the phone off and turn it back on and the lockscreen end up bypassed. “The screen will remain bypassed until the device is rebooted,” Pulser said.
The news comes a day after the company pushed version 4.0 of its Android app and on the heels of news this week the app installed on its 100 millionth device worldwide. Skype officials were not immediately available for comment.
The flaw is similar to a vulnerability discovered earlier this spring but since patched in Viber, which like Skype, is a VoIP app that allows its users to send free calls and messages. In Viber, all an attacker had to do to gain access to the phone was send a user a message and combine a series of actions to exploit the way the app handles popup messages.
Researchers have been especially committed to digging up lockscreen bypass flaws as of late. Earlier this year, iPhone users found flaws in iOS 6.1 and the beta version of iOS 7 that could allow an attacker to bypass the screen lock on Apple’s iPhone.