Report: Viber Android app exploit allows lock-screen bypass

Posted by Shane McGlaun

Viber can best be described as an Android messaging app designed to compete with Skype.

This week, a security company known as Bkav reported that it had discovered a flaw in the way the app handles pop-up messages which allows nefarious users to bypass a handset's lock-screen. It should be noted that traditional lock-screen bypassing hacks typically require a certain familiarity with long and complicated strings of code.

However, according to Bkav, the above-mentioned hack requires little more than two devices running the Viber app and a phone number.

To exploit the hack, all someone has to do is send a message to the victim, which causes alert window to open on the lock-screen. Once that message is received on the victim's device, the nefarious user activates the Viber keyboard and send another message.

Then when the first user pushes the back button on the victim's phone, they get full access to the device. This is a serious security breach to be sure, but I don't think your average Viber user has all that much to worry about. Remember, a nefarious actor would have to know your phone number and have access to your phone. If a random stranger found your device they wouldn't have that information, at least not right away. 

However, your friends, coworkers, spouse, or significant other could most likely use the exploit to gain access to your locked Android smartphone.

Bkav says that the exploit has to do with the way Viber interacts with the Android widescreen. In addition, Bkav's security division director Nguyen Minh Duc noted that "the way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear."

Viber has admitted that it is aware of the fault and expects to have to patch to plug a security vulnerability next week.