Critical flaw in Viber for Android allows bypassing lock screen

Recently, researchers have identified a serious security vulnerability in Viber for Android. The vulnerability can be exploited without special techniques to bypass the Android lock screen by simply sending messages to victim’s handset. Once the lock screen is unlocked, the attacker can have complete access to the handset.

Viber is a mobile app, with 175 million users worldwide. It allows users to conduct a call, send text and photos for free. It is available on iOS, Android, Windows Phone and BlackBerry.

The vulnerability was identified in Viber for Android version 2.3.6.338. There is a flaw within the function of "Unlock for popups", which can be exploited by attacker to unlock screen lock by sending a Viber popup message, then press the back button. Because this flaw is within the app itself, it is vulnerable on different manufacturers’ handsets and Android system versions.

HKCERT recommend users to update the app to version 3.0.0.1686 and secure their handsets. User can also disable the "Unlock for popups" function in the setting to prevent the vulnerability being exploited.

Solution 1: Update to the latest version of Viber (3.0.0.1686)

https://play.google.com/store/apps/details?id=com.viber.voip

Solution 2: Disable the "Unlock for popups" function

Fig) In the "More" tab > Setting > Uncheck "Unlock for popups"

If you want to learn more about mobile security, please refer to Guideline of Mobile Security provided by HKCERT.