Android bug allows phone lock screen to be easily unlocked

His next step is to swipe open the camera app, which is still accessible from a locked screen, along with a settings icon. The trick works on handsets running any OS version between Android 5.0 to Android 5.1.1 (but not the latest LMY48M build) with a password-based lock, even if encryption is enabled on the device.

After this is done, an attacker can gain access to the device.

‘By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilise the lockscreen, causing it to crash to the home screen, ‘ explained John Gordon in a blog post. Unfortunately the effect of that crash is to drop you onto the phones home screen, thus allowing complete access to the phone.

About 20% of the billion or so Android devices across the world run Google’s latest version called Lollipop, including new devices from Samsung, LG and Sony.

This process is then repeated until the attacker can no longer highlight the field with the double-tapping (approximately 11 repetitions). That vulnerability was much more widespread than the lockscreen flaw, affecting up to 95 percent of all Android devices on the market.

When prompted, enter a long string of random characters – around 110 characters – in to the password field that appears. The Stagefright flaw continues to bedevil Google, which has yet to address all of the vulnerabilities that researchers have found with the media library. The option of prompting a user for a password can be seen on the settings page. The developers have started working on a fix for the vulnerability which will be added in the monthly Android security update with build number “LMY48M”.

Gordon said that the bug was confirmed-and patched-on Google Nexus devices, other manufacturers’ Android phones could be vulnerable as well.

The best course of action while you wait on a patch is to simply avoid using a password on the lock screen, relying instead on a PIN, fingerprint or pattern lock.

The patch is already available for Google’s own line of phones – the various Nexus models.