Critical flaw in Viber allows full access to Android Smartphones, bypassing lock screen
11:30:00 | 23-04-2013

More than 50 millions of Smartphone users worldwide are facing a risk posed by a critical flaw in Viber app. Bkav Internet Security Corporation detected the flaw, which allows unauthorized users to access and take full control of Android smartphones installed with Viber even when the phones have been locked. Smartphones of all popular brands like Samsung, Sony, HTC, etc. are vulnerable.

Viber, an over-the-top app for mobile with 175 million users worldwide, allows free messaging, calling and photo sending. If counted on Google Play only, Viber has got from 50 to 100 millions of installs.  While, as in Viber's announcement, "400,000 users [are] being added every day". Accordingly, the number of users exposed to the risk is not limited to 50 millions, but might reach one hundred million.

Exploiting Viber to bypass lock screen of Android smartphones is simple, though it might slightly differ among different phones. Through a few actions on Viber new message popups, combining with some tricks like using victim's notification bar, sending other Viber messages, bad guy can gain full access to the phone and use any apps, features, etc. on the phone as its authorized user.  

Specifically, steps to exploit are as follows:

1. Send Viber message to victim

2. Combine actions on Viber message popups with tricks like using victim's notification bar, sending other Viber messages, etc. to make Viber keyboard appear

3. Once Viber keyboard has appeared, to fully access the device, create missed call to victim (with HTC Sensation XE), press Back button (with Google Nexus 4, Samsung Galaxy S2, Sony Xperia Z), etc.

Exploiting Viber to bypass lock screen of Samsung Galaxy S II

Exploiting Viber to bypass lock screen of HTC Sensation XE

Exploiting Viber to bypass lock screen of Sony Xperia Z

Exploiting Viber to bypass lock screen of Google Nexus 4

"The way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear," said Mr. Nguyen Minh Duc, Director of Bkav's Security Division.

Bkav reported Viber of the flaw last week, but has got no response yet. While the app's producer has not addressed the issue, Bkav recommends that users keep their smartphones close and not let anyone else, even acquaintances, use their phones. They should also update the patch for their Viber as soon as it is released.

Contact Information

Bkav USA

800 El Camino Real, Mountain View, California, 94040

Telephone: (+1) 2 023 866 779

Website: www.bkav.com

Email: Bkav@bkav.com