The Viber messaging app has been gathering momentum on Google Play, but a new exploit might give users pause. Just a few days ago, the security company Bkav announced that it has found a way to gain full access to Android phones using the popular Viber messaging app.
Unlike the Samsung lockscreen issue we reported on earlier, this attack doesn’t take any fancy finger work. Instead, all it needs is two phones, both running Viber, and a phone number.
Here’s how it works. The victim phone is locked, but it has Viber installed and set up. The attacker phone sends a message to the victim, which brings up an alert window on the lockscreen. One of the unique features of Viber is that you can respond even while the phone is locked, and activating the Viber keyboard is the next step in the attack.
Once the keyboard is active on the victim phone, the attacker sends another message. This time, press the back button on the victim phone, and suddenly you have full access to the victim phone.
According to Bkav, the issue stems from the way Viber interacts with the Android lockscreen. BKav’s security division director Nguyen Minh Duc explained on the company’s website, “the way Viber handles to popup its messages on smartphones’ lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear.”
Bkav writes that they have contacted Viber about the issue, but have not received a response. As of writing, the Twitter feed and Facebook accounts for Viber have been silent for over a day.
Bkav has several videos of the exploit in action on their website.
How Dangerous Is This? While it’s shocking to see the Android lockscreen so easily circumvented, the reality is that this exploit recquires two things that most attackers don’t have. First, they’d need physical access to your phone. Without your phone, it wouldn’t matter if it was locked or unlocked since the attacker couldn’t do anything.
Second, an attacker would need to have your Viber user information to send you a message. Even if your phone was stolen and the attacker somehow knew that you were a Viber user, they’d still need to send your specific phone a message.
These two factors greatly limit the potential pool of attackers, not to mention the fact that there are millions of Android users and only some useViber. Like most of these exploits it poses little threat to most users.
In my opinion, the real danger here is that the Viber developers either didn’t know or didn’t care that the exploit existed in their app—and they’re surely not alone in this. While it’s difficult to have total quality assurance for any app, particularly for Android developers who have myriads of hardware and operating system variations to consider, developers still need to keep security in mind when they push their apps out.