Smartphones running Android Lollipop can be unlocked by entering a very long password causing the lock screen to crash.
The vulnerability, discovered by researchers at Texas University in Austin, potentially affects >21% of Android devices in use and requires the attacker to simply overload the lockscreen with text.
The bug affects only those users with smartphones running Google’s Android Lollipop using a password to protect their devices. Pin or pattern unlock are not affected.
The attacker need to enter enough text into the password field to overwhelm the lockscreen and cause it to crash, revealing the homescreen and giving full access to the device, whether encrypted or not.
“By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilise the lockscreen, causing it to crash to the home screen,”John Gordon from Texas university said.
Google released a fix for the security hole on Wednesday for its line of Nexus devices, describing the bug as of “moderate” severity, but that it was not actively being exploited by attackers, according to the company’s knowledge.
The researchers demonstrated the attack on a Google Nexus 4, and required the attacker to use the emergency call function to copy hundreds of characters to the clipboard.
About 20% of the billion android devices across the world run Google’s > latest version called Lollipop , including new devices from Samsung, LG and Sony.
These devices will require a > software update to fix the bug , but users will have to rely on the manufacturer of the smartphone and their mobile phone operator to roll out the update, rather than Google directly.
The attack requires physical access to the smartphone, and cannot be performed remotely. Users worried by the attack can change their lockscreen preferences to a pattern unlock or Pin code, which can be up to 16 characters long, instead of a password.
After the Stage fright security vulnerability , Google, Samsung, LG and other Android smartphone manufacturers recently pledged to release monthly security updates for their latest devices, in an attempt to help prevent this kind of attack being used.