A moderately severe security flaw has been detected in Android. Android Lollipop smartphone holders are advised to upgrade or follow a security procedure.
The hacker must be in possession of the phone to successfully hack the device, the trouble lies in the lockscreen. For users who have selected password as their method of protection, the lock may be broken by overwhelming the password space with random characters while the camera is open, according to the report published by the Information Security Office of the University of Texas.
For users to protect their phones, they must either upgrade or change their screen lock to pattern, face recognition, or other available security options. For high-end phone users, fingerprint scanner is the most trusted protection method.
The bug specifically affects those who are using Android Lollipop. Versions more advanced than Android 5.0 and more advanced Android 5.1.1. are also threatened. Google has released a patch last Sept. 11 to cover up the glitch for its own Nexus devices.
The trouble was detected by University of Texas researcher John Gordon on a Nexus unit. It remains unknown whether other Android phones are vulnerable. If other smartphone brands are exposed, then 20 percent of over one billion Android smartphones are affected.
The security of the users is also in the hands of smartphone vendors who are in charge of rolling out updates.
Interestingly, the Android Security group initially classified Gordon's discovery as a low severity bug, CSO reported. Gordon was unqualified for compensation under Google's new Android security rewards program, which pays security researchers who can report any flaw to secure the OS.
In July, Gordon successfully convinced Google that his discovery deserved a higher severity score.
"This is a local attack with no user interaction leading to user-level control of the device, essentially 'local unprivileged code execution' and I would think it would rank at or just below 'remote unprivileged code execution'. I hope this rating can be re-evaluated with consideration for the type of attack and extent of device and user data compromise achieved," wrote Gordon to the Android security team.
Gordon was offered $500 for his work.
The current bug is less alarming than Stagefright, a security glitch that worried Android users around the world. The fault exists in a media playback tool built into the OS. Malicious hackers can take advantage of the flaw by messaging a video containing a malware in its code. Upon receipt of the text message, the virus activates as the media player scans the unread message. Therefore, even without opening the file, the malware takes over the user's phone stealing credit card numbers and personal details.
