Blog
Rajiv Singha

Android Lollipop Users Vulnerable to Massive Password Hack Attack

September 24, 2015
  • 1
    Share
31
Estimated reading time: 2 minutes

A group of researchers at Texas University in Austin, have discovered a security flaw in mobile phones running the Android Lollipop version.

Android Lollipop Users Vulnerable to ‘Massive Password Hack’ Attack

What is this security flaw?

This flaw allows anyone to bypass the lockscreen of an Android phone by using a massive password, and expose the home screen, thereby giving full access to the phone and its contents.

How does the attack work?
The attack works by opening the camera app first, pulling down the notification drawer from top of the screen, and tapping on the settings icon on the top-right corner. This will prompt the user for the password. Now, the user has to enter a massive password (an extremely long string of words; could be even ************************). This will overwhelm the lockscreen, causing the camera app to crash, exposing the home screen.

Who all are vulnerable to this attack?
Android Lollipop (5.0) users who use PASSWORD to protect their device could be vulnerable to this security bug. PIN or PATTERN locks are not affected. However, it isn’t clear whether all range of Android Lollipop devices are affected with this bug.

Note: Google has already released the security fix for this bug for its line of Nexus devices. As of now, this  fix is yet to be released to other smartphone makers who will then push the update out to their respective customers.

What is the Temporary Fix?
Users can change their lockscreen preference to PIN. They can also switch to PATTERN LOCK, but we do not recommend this, as it’s not a reliable form of security.

To conclude, this attack cannot be performed remotely, and requires physical access to the phone; in which case, a user who has had their phone lost/stolen are at risk. Just so you know, Quick Heal Mobile Security app lets you lock your lost/stolen phone with the help of a simple SMS command. Doing this will ensure that your phone is not misused.

If you think this post is helpful, share it with your friends, family members, and acquaintances. If you wish to receive such alerts and security tips directly to your inbox, then click here to subscribe to our blog.

Source:
http://www.dailymail.co.uk
http://www.theguardian.com

  • 1
    Share

Have something to add to this story? Share it in the comments.

Rajiv Singha
About Rajiv Singha
Rajiv is an IT security news junkie and a computer security blogger at Quick Heal. He is passionate about promoting cybersecurity awareness, content and digital...
Articles by Rajiv Singha »

31 Comments

Your email address will not be published.

CAPTCHA Image

  1. prateek choudharySeptember 30, 2015 at 10:36 AM

    I disagree to that , android has an option of total 8 different along with the newly introduced fingerprint scanner , the only way i can think of getting past the lock screen is if someone resets the software itself without touching the internal SD data . That is easy . But your theory is wrong & i can prove this with my current handset , Also in your Blog you have not mentioned what android lollipop version it has been affected . I guess you need to research this a bit further .

    Reply
    • Hi Prateek,

      Thank you for the comment. The blog post addresses the concern that is related to a security bug in the PASSWORD lock mode. And the finger print scanner is a functionality not present in all Lollipop devices. Hence, our only intention was to give a heads-up to our users about this so that they can be on a safer side. As far as the attack is concerned, this is how it is performed – https://youtu.be/J-pFCXEqB7A

      Regards,

      Reply
      • Prateek ChoudharyOctober 1, 2015 at 11:56 PM

        Rajib,

        If you have noticed the video ,carefully not all functionality is open , even when adb is enable but when you connect the usb cable it will again ask for the passcode also the settings window will hang , I have tried with 3 versions of lollipop & the only affected version device i have noticed is Code name Mako also known as nexus 4 with 5.0.0 the unaffected versions are 5.0.2 & 5.1.1 . By the way your quickheal security app is only working till it has a working sim & a signal in it . remove the sim card & remove the app via ADB pull command your security app is disabled . Hence even with your security app its not full proof . I still feel you need more research on this .

        Reply
  2. suman kumarOctober 1, 2015 at 3:43 PM

    please informed me when any problem persuing on my laptop due to virus

    Reply
  3. PARITOSH SANGHAVIOctober 1, 2015 at 5:02 PM

    USE JUST APPLE PHONE …. THE IOS SYSTEM AS IT IS BETTER THAN ANDROID

    Reply
  4. please give some more information

    Reply
  5. Avishek MondalOctober 1, 2015 at 8:19 PM

    thanx for the post really helpful

    Reply
  6. Nice this

    Reply
  7. G vijaysen varmaOctober 3, 2015 at 7:38 AM

    TQ For quick heal team

    Reply
  8. JitENdeR kumarOctober 3, 2015 at 10:54 AM

    Vary gud

    Reply
  9. aquib shaikhOctober 3, 2015 at 3:27 PM

    Nice version

    Reply
  10. Very nice version

    Reply
  11. prasad pathariOctober 3, 2015 at 5:44 PM

    Thanku Quickheal

    Reply
  12. Good

    Reply
  13. PrajjwalpandeyOctober 4, 2015 at 10:41 AM

    It’s nice to uses

    Reply
  14. Lalit kumarOctober 4, 2015 at 1:35 PM

    Nice

    Reply
  15. Tnx fr the info

    Reply
  16. Vidya GaikwadOctober 4, 2015 at 3:30 PM

    Nice..

    Reply
  17. Vitthal patilOctober 4, 2015 at 5:35 PM

    Good

    Reply
  18. sagar shindeOctober 5, 2015 at 12:55 AM

    Good

    Reply
  19. sagar shindeOctober 5, 2015 at 12:56 AM

    Nice

    Reply
  20. Debasis DasOctober 5, 2015 at 1:30 PM

    good

    Reply
  21. PrajjwalpandeyOctober 5, 2015 at 6:37 PM

    It’s to nice for use.

    Reply
  22. sanjeev topnoOctober 9, 2015 at 11:38 AM

    very nice

    Reply
  23. kashishkashishsetgOctober 27, 2015 at 7:51 PM

    It’s is not use to me this lock

    Reply
  24. Niceeee

    Reply