In this year we saw many security flaws in Android Operating system,it seems that they fails to provide a first class security guard to this popular platform.Recently a security analyst at the University of Texas’s have discovered that some devices running on Android Lollipop can be unlocked and accessed basically by by entering a very long password causing the lock screen to crash.The vulnerability potentially affects 21% of Android devices in use and requires the attacker to simply overload the lockscreen with text.
The hack consists of basic steps like entering a long, arbitrary collection of characters into the phone’s Emergency Call dial pad and repeatedly pressing the camera shutter button. Researcher John Gordon, who outlines the full hack in this security notice and demonstrates it in the video below, says the trick offers full access to the apps and data on affected phones. And by using that access to enable developer mode, he says that an attacker could also connect to the phone via USB and install malicious software.
Gordon says he stumbled on the lock screen vulnerability while messing with his phone during a long East Texas road trip.
“I’m sitting in the passenger seat, bored, with no signal on my phone, so I start poking around and seeing what unexpected behavior I can cause.A few idle hours of tapping every conceivable combination of elements on the screen can do wonders for finding bugs.”
Gordon tested the attack only on Nexus devices, but he believes it likely works on other Android devices that use version 5 of the operating system. He reported the issue to Google in late June and Google released a fix for the security hole on Wednesday for its line of Nexus devices, describing the bug as of “moderate” severity, but that it was not actively being exploited by attackers, according to the company’s knowledge.
About 20% of the billion android devices across the world run Google’s latest version called Lollipop, including new devices from Samsung, LG and Sony.These devices will require a software update to fix the bug, but users will have to rely on the manufacturer of the smartphone and their mobile phone operator to roll out the update, rather than Google directly.The attack requires physical access to the smartphone, and cannot be performed remotely. Users worried by the attack can change their lockscreen preferences to a pattern unlock or Pin code, which can be up to 16 characters long, instead of a password.
After the Stage fright security vulnerability , Google, Samsung, LG and other Android smartphone manufacturers recently pledged to release monthly security updates for their latest devices, in an attempt to help prevent this kind of attack being used.