Skype for Android Enables Lock Screen Bypass, according to XDA-Developers member Pulser
A security flaw in the popular Skype for Android app can be abused to bypass the phone’s lock screen and allow unauthorized full access to the targeted device.
“The Skype for Android application appears to have a bug which permits the Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily, if the device is logged into Skype, and the ‘attacker’ is able to call the ‘victim’ on Skype,” XDA-Developers member Pulser writes in a blogpost on the Full Disclosure mailing lists.
Pulser tested the bug with the 18.104.22.16873 version of Skype launched July 1st and he confirmed it to work on various smart handsets, including Sony Xperia Z, Samsung Galaxy Note 2 and Huawei Premia 4G.
To simulate an attack, Pulser used two Android devices with a configured Skype account on each. One device needed an Android lock screen up and running.
He used one device to call the second device via Skype, prompting the second device to display a dialogue on its screen to answer or reject the call. The second device accepts the call and the first one hangs up. The second device will display the lock screen.
The moment the second device is turned off with the power key and turned back on, the lock screen should be bypassed. According to Pulser, the screen lock remains bypassed until the device is rebooted.
The news came immediately after the company released Skype for Android version 4.0 to mark the 100-million users milestone with major interface changes and performance enhancements.
In April, a flaw in VoIP App Viber allowed attackers to temporarily unlock victims’ smartphones. The company remedied the issue with a prompt fix.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.