A popular messaging application for the Android mobile platform similar to Skype, is vulnerable to a flaw that could allow an attacker with physical access to an Android device full control of the phone, researchers said.
There have been between 50 and 100 million installations of Viber on the Google Play store, said researchers at Bkav Corporation, a California security company. The app is also available for iPhone, BlackBerry and Windows devices. Bkav did not say whether any of those devices are vulnerable as well.
The alert posted by Bkav said the vulnerability is present on Samsung, Sony, HTC, Google Nexus, and other devices that support Android.
“Through a few actions on Viber, new message popups, combining with some tricks like using [a] victim’s notification bar, sending other Viber messages, [a] bad guy can gain full access to the phone and use any apps, features, etc. on the phone as its authorized user,” the alert said.
The exploit is relatively simple, Bkav researchers said. There are several video examples of bypasses for different handsets, each relying on either a Viber instant message or missed call combined with the use of the Viber keyboard and back button to unlock the phone.
Bkav said it reported the vulnerability to Viber, which has yet to acknowledge it.
A similar vulnerability was in Samsung devices running Android 4.1.2 by a U.K. researcher through the use of the emergency call button and emergency contact list buttons, which causes the home screen to appear briefly allowing an outsider to access any app without having to authenticate via the Android pattern lock or PIN.
In February, two iPhone screen lock bypass flaws ended up discovered, one in the iOS 6.1 kernel that enabled access to contacts and other data, and another also in the emergency call feature.