Report: New hack lets an attacker bypass password-locked Android home screens
A video uncovered by Ars Technica shows someone able to use the emergency call access to gain entry to a locked phone, even though it’s protected with a password.
The individual in the video types a large string of characters into the call window and copies them to the device’s clipboard. The hacker is then able to open the camera from the locked device, access the options menu, and paste several characters into the password prompt. The phone then unlocks.
The vulnerability was introduced in Android 5.0 and was fixed in the LMY48M Android 5.1.1 build released to Nexus devices (you can always grab it yourself from the Nexus Factory Images page.) However, the vast majority of Android handsets aren’t of the Nexus variety, which means you’re vulnerable to this hack until your device is updates. Fortunately, the attack only works if you use a password to unlock your device; you can use a PIN or pattern unlock to protect yourself. If you use a fingerprint unlock, you would need to have a PIN or pattern as the backup to fully stay secure.
Why this matters: It hasn’t been a great year for Android security, as this minor hack comes after the big scare of Stagefright. It demonstrates that Google and device manufacturers all need to step up their game so everyone can enjoy better security and not worry about a new hack every week.