Lockscreen hack exposes Android smartphones to full control by hackers
A critical bug allows hackers to gain access to Android smartphones/tablets lockscreen with a simple hack. Security researchers from University of Texas, Austin have discovered a critical flaw in Android smartphones and tablets which lets hackers gain complete access to a Android smartphone by just inputting a special characters in the lockscreen window.
According to the researchers this Android smartphone hack affects all devices running versions of Android 5.x which means that a millions of Android smartphones in circulation worldwide are susceptible.
The hacking technique is very simple and can be exploited even by a noob. It is done by adding a large number of characters in the emergency call window and then copying it on the Android clipboard. After inserting the long string into the window, the hacker then swipes open the camera from the locked device and swipes down for more options menu and pastes the characters in the resulting password prompt.
Normally a Android smartphone owner would get an error message, but in this case, due to the vulnerability, the phone simply unlocks giving access to the hacker to do almost anything.
Table Of Contents
For the hack to work, the hacker should have the following :
- Attacker must have physical access to the device
- User must have a password set (pattern / pin configurations do not appear to be exploitable)
The process of attack :
- From the locked screen, open the EMERGENCY CALL window.
- Type a few characters, e.g. 10 asterisks. Double-tap the characters to highlight them and tap the copy button. Then tap once in the field and tap paste, doubling the characters in the field. Repeat this process of highlight all, copy, and paste until the field is so long that double-tapping no longer highlights the field. This usually occurs after 11 or so repetitions.
- Go back to the lockscreen, then swipe left to open the camera. Swipe to pull the notification drawer down from the top of the screen, then tap the Settings (gear) icon in the top right. This will cause a password prompt to appear.
- Long-tap in the password field and paste the characters into it. Continue to long-tap the cursor and paste the characters as many times as possible, until you notice the UI crash and the soft-buttons at the bottom of the screen disappear, expanding the camera to fullscreen. Getting the paste button can be finicky as the string grows. As a tip, always make sure the cursor is at the very end of the string (you can double-tap to highlight all then tap towards the end to quickly move the cursor there) and long-tap as close to the center of the cursor as possible. It may take longer than usual for the paste button to appear as you long-tap.
- Wait for the camera app to crash and expose the home screen. The duration and result of this step can vary significantly but the camera should eventually crash and expose sensitive functionality. You should notice the camera lagging as it attempts to focus on new objects. Taking pictures via the hardware keys may speed up the process, though it is not strictly necessary. If the screen turns off due to inactivity, simply turn it back on and continue waiting. In some cases the camera app will crash directly to the full home screen as seen below, whereas other times it may crash to a partially rendered home screen as seen in this alternate proof-of-concept video.
- Navigate to the Settings application by any means possible, e.g. by tapping the app drawer button in the bottom center and finding it in the app list. At this point it is possible to enable USB debugging normally (About phone > tap Build number 7 times, back, Developer options > USB debugging) and access the device via the adb tool to issue arbitrary commands or access the files on the device with the full permissions of the device owner.
Proof-of-Concept video :
The PoC video is given below :
Affected Android smartphones :
The researchers stated that they have informed the Android security team about the vulnerability and Android released 5.1.1 build LMY48M containing fix for this vulnerability. However the patch has percolated only to the owners of Nexus 4, 5, 6, 7, 9, and 10. As with every Android smartphone vulnerability, the sheer number of versions in the market make it impossible for Google to patch every smartphone running on Android operating system. Also many smartphone manufacturers are lazy in passing the patches to the end customers effectively rendering such smartphones vulnerable to this attack.
Mitigation techniques :
Those smartphones which haven’t received the update yet could immediately switch to a PIN or pattern-based lockscreen to avoid potential hack and loss of personal data.