Recently Pulser, a contributor on XDA-Developers forum, discovered a bug in Skype that allows an attacker to bypass the lock screen on your Android device.
The way it works is the attacker would need to access to your device either in hand or with an accomplice and involves making a call to target phone while in sleep mode, ending call on initiating device, then pressing the power button on twice on the target device.
Unfortunately reproducing isn’t as easy as that but I was finally able to reproduce following the steps outlined by Pulser. The bug was found in Skype v. 126.96.36.19973, on the same day of the news of this bug Skype released v. 4.0 of their Android offering. I was unable to reproduce the lock screen bypass in v 4.0 so it’s possible Skype has fixed the bug, however don’t take my word on it as I was just unable to reproduce. According to Pulser Skype has been notified and hopefully they have it resolved or will in the near future.
Vulnerabilities or “bugs” in software have long been attack vectors for malware authors, although this attack is very targeted and involved, it points out weaknesses all developers and software companies encounter–software bugs.
As users we have to do our part in securing our computing environment but we also have to put our trust in the developers of the software we use to do some security based quality assurance along with their functionality testing. Skype has been dinged in the past for vulnerabilities in their code, in 2011 a bug exposed user’s personal data and chat logs—they did push out a fix quickly for that.
Bypassing the lockscreen has been an issue for Android and iOS over the years and most times the bug is patched by the OS or app developer, but it would certainly cause headaches for some if the device falls into the wrong hands.
To help mitigate your vulnerability to software bugs ensure you keep your software up-to-date and keep your device close. Please continue to use a lock screen on your device as it will keep the honest thieves out.