Flaw in VoIP App Viber Allows Attackers to Unlock Victims’ Smartphones
An improperly implemented feature in popular voice-over-IP application Viber can help cyber-criminals to bypass the locking mechanism of smartphones.
UPDATE: Viber has contacted us to announce an update that fixes the issue. Please make sure that you install the update from Google Play or from the company’s product page.
According to a report by BKAV, Android-based smartphones running Viber can be unlocked by simply sending a message to the target device. The message is displayed in a popup window running on top of the screen lock and allows for the keyboard application to be invoked, which temporarily unlocks the lock screen.
Some applications designed for Android – such as the phone app – can temporarily unlock the screen and lock it back when it has terminated. This is also the case with Viber, but sending a second message to the victim appears to make the application lose the screen lock state and forget to lock the screen after it exits, allowing anyone to bypass the authentication mechanism.
Even though Viber comes with an option to prevent popups from unlocking the device, it is turned off by default for convenience.
“Viber 2.3.6 on some Android devices might unlock the screen when replying a Viber message popup,” wrote the Viber team in a security advisory. “We are currently working on fixing this issue and hope to resolve it soon. In the meantime please go to More—>Settings—>Uncheck Unlock for popups”.
According to Viber, their VoIP product runs on roughly 175 million products, but the number of installations on Android is unknown.