Just when they thought their OS was patched, another hole springs a leak.
Discovered by German security researchers at Curesec, the bug is capable of taking over anyone’s phone or tablet straight from the lock screen, as long as they are running any version of Android from 4.0 to 4.3. As of their report, Android 4.4, lovingly referred to as “KitKat”, is free of the vulnerability and the code associated with it.
Found in the “com.android.setting.ChooseLockGeneric class”, this setting enables the user to change the style of lock mechanism they use to access the phone. Varying from swiping across the screen to requiring a PIN input from the user, these options are normally considered to be mundane, but in the wrong hands can open you up to a host of liabilities from the internet and at home.
The developers behind the crack elaborate:
“We can control the flow to reach the updatePreferencesOrFinish() method and see that IF we provide a Password Type the flow continues to updateUnlockMethodAndFinish().”
Curesec has provided a concept of how the attack functions inside of the framework of its own devices on their website, and claims they only decided to go public with the issue after the Android Security Team stopped replying to the corresponding emails illuminating the problem and alerting the engineers about the flaw in their system.
No matter what version of Android you use, you should always have a mobile VPN solution installed and ready to protect you from threats no matter which way they find their way onto your phone.
Follow ourto learn more!