Android Bug Can Let Basically Anyone Bypass Your Lock Screen If You Use A Password

It is just not a great year for Android security, it seems. Researchers in Texas have discovered that some devices running Android version 5 (Lollipop) can be unlocked and accessed basically by just mucking around with buttons on the lock screen long enough.

The security analyst who discovered the flaw did it basically out of boredom, Wired reports. He started poking around his phone to make it see what he could make happen, and discovered the vulnerability.

Happily, unlike the last headline-grabbing Android exploit this year, this bug affects only a small minority of users. Specifically, it’s Android device owners running Android 5 and who use a password — not a PIN or a pattern — to lock their screens.

The other good news is, someone needs physical access to your phone in order to pull it off. Where other exploits have been vulnerable to remote access, like a text message, unlocking the phone’s screen still requires someone actually tapping on the screen — it just doesn’t require them actually to know your password.

“My concern when I found this…was thinking about a malicious state actor or someone else with temporary access to your phone,” the researcher told Wired. “If, say, you give your phone to a TSA agent during extended screening, they could take something from it or plant something on it without you knowing.”

Google pushed a patch for the vulnerability in August, but for device owners who have to rely on their service providers for updates (i.e. most people), there’s no telling when the patch will actually come through.

Hack Brief: Emergency-Number Hack Bypasses Android Lock Screens [Wired]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.