Android Lock Screen Vulnerability

Android Lock Screen Vulnerability

If you are running the Google Android Lollipop mobile operating system and use a password to lock your phone, then your phone could be hacked. Ars Technica describes exactly how to bypass the lock screen:

“The technique begins by adding a large number of characters to the emergency call window and then copying them to the Android clipboard. (Presumably, there are other ways besides the emergency number screen to buffer a sufficiently large number of characters.) The hacker then swipes open the camera from the locked phone, accesses the options menu, and pastes the characters into the resulting password prompt. Instead of returning an error message, vulnerable handsets unlock.”

Android Lollipop is version 5.0 through 5.1.1 (current). A security analyst at the University of Texas is credited for the discovery. The University of Texas details exactly how to complete this hack.

Our Analysis

PC World and The Register are both reporting that if you own a Nexus device and installed Google’s latest update, then you will have patched the vulnerability. The vulnerability is fixed in the 5.1.1 build LMY48M. Unfortunately as Wired reports, “due to the carrier’s inability to get patches out to the devices in a timely manner, then most devices are still vulnerable.”
If you are an Android user currently that uses a password and does not own the most up-to-date build of Lollipop 5.1.1 on a Nexus device, then you are likely still vulnerable. I would suggest you change to either a PIN or Pattern on your lock screen. The vulnerability is only for a password, so until your device gets the update, then this will protect your phone.

Hopefully in the future these carrier’s will have developed a method to roll out these updates in a timely manner to avoid these issues. There currently isn’t a timeline of when your device could get this update.

For future news regarding this vulnerability or other Android tips and issues, please visit Greenbot. This will be a great starting point as to if or when you can expect this issue to be patched on your device.


University of Texas
The Register
Ars Technica
PC World

Enter your email address:

Delivered by FeedBurner

Contact Us

Subscribe to our mailing list

* indicates required

About Scott Entsminger

Scott Entsminger was born and raised in Virginia. He graduated from Radford University with a Bachelor’s of Science in Criminal Justice. Scott has worked for the Department of Defense since graduating college. He is an expert in Windows Administration; with specific experience in Group Policy and vulnerability remediation. He also has specific experience in Information Assurance (IA) and Cyber Security. Scott holds the CompTIA Security+ certification. He is always looking to diversify his skillset. Scott is an avid sports fan, particularly baseball. He also is an avid gamer and enjoys learning different skills involving his PC.