A massive security vulnerability has been discovered in Android. Attackers can take control of Android smartphones in less than a minute, according to reports. Google has already reacted and distributed a security patch.
Android: Gap allows full cell phone control
Hungarian security researcher David Schütz has discovered an extensive vulnerability in Android. According to him, it is possible to gain full control over Android phones in less than a minute. For this, the smartphone must be physically present, so an attack from a distance is not possible. However, neither special software nor tools need to be used for the attack itself.
Schütz explains that the vulnerability can be exploited via Android’s lock screen. To do this, a separate SIM card is first inserted into the smartphone, which has a PIN lock. Then, the SIM PIN is intentionally entered incorrectly three times, after which the correct PUK code is typed in. After that, a new PIN can be assigned for the SIM. Android then releases the lock screen and the system is open (source: David Schütz at xdavidhu.me).
The attack was successfully carried out on a Pixel 6 from Google. In principle, however, the vulnerability can be exploited on all Android devices.
This is how the Android lock screen can be bypassed:
Google removes gap with security patch
For its own smartphones, Google has distributed a security patch that closes the gap. It has been available since November 5, 2022. Other manufacturers should also provide corresponding patches in the near future or have already passed it on to their users.
Schütz did not go public with his discovery immediately, but first informed Google as the Android manufacturer. The company then paid the security researcher 70,000 US dollars as a reward.
