More than 50 millions of Smartphone users worldwide are facing a risk posed by a critical flaw in Viber app. The security company Bkav announced that it has found a way to gain full access to Android phones using the popular Viber messaging app.
Unlike the Samsung lockscreen issue we reported on earlier, this attack doesn't take any fancy finger work. Instead, all it needs is two phones, both running Viber, and a phone number.
"The way Viber handles to popup its messages on smartphones' lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear," said Mr. Nguyen Minh Duc, Director of Bkav's Security Division.
Steps to exploit:
- Send Viber message to victim
- Combine actions on Viber message popups with tricks like using victim's notification bar, sending other Viber messages, etc. to make Viber keyboard appear
- Once Viber keyboard has appeared, to fully access the device, create missed call to victim (with HTC Sensation XE), press Back button (with Google Nexus 4, Samsung Galaxy S2, Sony Xperia Z), etc.
POC video:
As the above videos demonstrate, the latest vulnerability affects a variety of handsets as long as they have Viber installed. People rely on their smartphones to keep their e-mails, contacts, and other sensitive information, so Company plan to release a fix the issue next week.