A Vietnamese security firm discovered a flaw in the popular Viber app that allows attackers to hack the screen lock and gain control of the smartphone. All it takes is a number of specially crafted messages and the device’s security is compromised.
Viber has more than 50 million users worldwide, and works very much like Skype, allowing Android users to send messages and talk for free. Bkav, A Vietnamese security company, discovered that sending pop-up messages and using the notification bar can give to anyone full access to the victims phone.
According to Bkav, the three easy steps to exploit the bug are:
1. Send Viber message to victim
2. Combine actions on Viber message popups with tricks like using victim's notification bar, sending other Viber messages, etc. to make Viber keyboard appear
3. Once Viber keyboard has appeared, to fully access the device, create missed call to victim (with HTC Sensation XE), press Back button (with Google Nexus 4, Samsung Galaxy S2, Sony Xperia Z), etc.
Exploiting Viber to bypass lock screen of Samsung Galaxy S II (source: Bkav)
As Nguyen Minh Duc, head of Bkav’s security division said: “The way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear.”
The developers of Viber responded to the incident by releasing a new version of the app (2.3.7) which is available on the company’s helpdesk (but not on the Google Play Store at the time of publication), announcing that the loophole is now patched. In the meantime, users are advised to keep their smartphones in close proximity.