Security features on Android smartphones can easily be bypassed by cybercriminals, even if the device is protected by encryption, it has been revealed.

Researchers from the University of Texas at Austin discovered that as a result of the vulnerability in Android 5.x (CVE-2015-3860), attackers can circumvent Android lockscreen security and take control of the smartphone.

“By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen,” the team reported in an official blog.

“At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein.”

There are two criteria for a successful attack to be launched. One, the cybercriminal must have physical access to the device and two, the original user must have a password set.

The process of bypassing security

analisis_android

From the locked screen, the attacker will open the emergency call window, “type a few characters”, double-tap to highlight the text and then copy.

“[The cybercriminal will] then tap once into the field and tap paste, doubling the characters in the field,” the researchers elaborated.

This process is then repeated until the attacker can no longer highlight the field with the double-tap (approximately 11 repetitions).

From this point, the cybercriminal will return to the lockscreen and then access the camera, which is possible without having full access to the smartphone.

The next step is to then swipe down to bring up the notification page, press the settings icon and then, in response to the password prompt, to long-tap into the field.

As with before, the process of repetitions begins again, with the attacker persisting with pasting the characters as many times as the device will allow.

This comes to a halt when the user interface crashes and the “soft buttons of the screen disappear”. The camera will then expand to fullscreen and the attacker will wait until this function crashes (a degree of patience is required).

The attacker can then “navigate to the settings application by any means possible” and, “at this point, it is possible to enable USB debugging normally and access the device via the adb tool to issue arbitrary commands”.

The vulnerability has been resolved

The security flaw was reported by the university to the Android security team towards the end of June. In August, it committed a patch to resolve the issue and on September 9th, announced that the 5.1.1 build LMY48M had fixed the issue.

In the announcement, Google stated that it had not observed any malicious activity of the kind highlighted by the University of Texas at Austin.

Aggressive Android ransomware spreading in the US

android-malware-623x360

In related news, ESET recently reported that it had found the “first known Android lock-screen-type ransomware spreading in the wild that sets the phone’s PIN lock”.

Lukas Stefanko, a malware researcher at ESET, noted that this development is significant and that “malware writers have stepped up their game”.

He explained: “With the new Android ransom-lockers … users have no effective way of regaining access to their device without root privileges or without some other form of security management solution installed, apart from a factory reset that would also delete all their data.”