A vulnerability has been found on Android that allows the lock screen of a smartphone to be bypassed. For this, it uses the phone’s multi-user mode, which allows you to create several sessions on one device.
Security vulnerabilities in our smartphones are part of the daily life of many developers, although we do not always realize it. This July 15, for example, a new security threat has been discovered that is said to have infected three million Android devices. Added to this is a newly disclosed vulnerability allowing the lock screen to be bypassed by exploiting a breach in the multi-user mode on Android.
As a reminder, the multi-user mode allows you to add kinds of sessions, like what you find on Windows, but on Android. This is useful for devices that are shared by multiple people, for work or family with custom spaces.
A security flaw on Android to unlock a smartphone without the code
Maveris Labs community member Josué Nearchos posted an article on Medium in which he speaks ofCVE-2022-20006 “. We learn there that he ispossible to briefly view what is behind the lock screenby distorting the level of permissions granted. “User interaction is not required for operation[de la faille]».
The problem is the transition between user profiles. In his article, Josué Nearchos explains how to unlock an Android smartphone without a code, password, etc. When switching from any profile to the target profile, one has to quickly click on the target profile as well as the home button. Once the manipulation has been completed, you can access the home screen of the target profile. It is not easy to achieve and the flaw is limited.
Lien YouTubeSubscribe to Frandroid
In effect, “if successful, you will be presented with the target users home screen and you will be able to browse and access anything in that target user profile for a limited time (usually 5-30 seconds) before the lock screen does not reappear“. While it may seem very unhelpful, it may be enough to install malware.
The prerequisites for making the fault work
Fortunately, certain conditions restrict the exploitation of the flaw. It requires physical access to the device, which must be running Android 10, 11, or 12,”with security patch levels prior to June 5, 2022“. A good reminder to make is that you have to update your devicesincluding security updates.
On top of that, three-button navigation needs to be enabled, not gesture navigation. Next, “lock screen must be enabled“, just like the multi-user function, with at least two users, even if one is a profile “guest ».
Let’s face it, few of us have the right safety reflexes. However, our smartphones, our tablets and our PCs house a great deal of private data. So you are surely interested in following these…
Read more
To follow us, we invite you to download our Android and iOS app. You can read our articles, files, and watch our latest YouTube videos.