A significant flaw in Viber, a mobile communication app like Skype, allows talented attackers to gain control of Android handsets even if a screen lock is active.
A blog post published by Bkav Internet Security on Tuesday outlines the exploit, and also mentions that it affects a plethora of devices from the likes of Samsung, Sony and HTC. The invasion process employed varies by device model, but Bkav says they all use the same programming logic to achieve their means. The vulnerability has to do with the way Viber utilizes pop-up messages and notifications.
A spokesman for the company released a statement to Ars Technica, clearly stating that they are aware of the problem and will releasing an update to fix the problem as early as next week.
“In the meantime, anyone concerned about this issue can resolve it by disabling Pop-up Notifications in the Android version of Viber. This can be done by going to Viber Settings and choosing to disable–’New Message Pop-Up.'”
As the video below so clearly demonstrates, the exploit involves sending a message to the affected handset, and taking advantage of features unique to Viber to gain access by unlocking the device.
http://youtu.be/JQhNMJpAlto
Google Play reports that Viber has been downloaded between 50 million to 100 million times on a whole slew of devices. With iOS and Blackberry included, Viber said that they had 175 million active users in December of last year. While there’s no indication that non-Android devices are affected by this exploit, the possibility hasn’t been ruled out yet.
Keep in mind here, this exploit has nothing to do with the Android operating system by itself but instead has to do with a third party mobile application. If you don’t have Viber installed on your device, then this doesn’t apply to you in any way. Still, it’s proof that you should always pay attention to what permissions applications request during installation. Viber does state that it requests access to unlock your device, but it’s buried in a long list of additional permissions that it requires in order to operate. That just makes it easy to overlook that particular permission request.
Check out the source link below for more video demonstrations and other information on the exploit.
Source: Ars Technica