A vulnerability has been found in Android that allows the lock screen of a smartphone to be bypassed. To do this, use the phone’s multi-user mode, which allows you to create multiple sessions on the same device.
Security vulnerabilities in our smartphones are part of everyday life for many developers, although we may not always realize it. This July 15, for example, A new security threat has been discovered that is said to have infected three million Android devices.. Added to this is a recently disclosed vulnerability that allows the lock screen to be bypassed by exploiting a loophole in multi-user mode in Android.
As a reminder, multi-user mode allows you to add session types, like what you find in windows, but on Android. This is useful for devices that are shared by multiple people, for work or family with personalized spaces.
A security flaw in Android to unlock a smartphone without the code
Josué Nearchos, a member of the Maveris Labs community, posted an item in the middle in which he talks aboutCVE-2022-20006 “. There we learn that he ispossible to briefly see what’s behind the lock screendistorting the level of permissions granted. “No user interaction required for operation[de la faille]».
The problem is the transition between user profiles. In his article, Josué Nearchos explains how to unlock an Android smartphone without code, password, etc. When switching from any profile to the target profile, one needs to quickly click on the target profile and start button. Once the manipulation is complete, you can access the home screen of the destination profile. It is not easy to achieve and the defect is limited.
Indeed, “if successful, you will be presented with the target users home screen and be able to browse and access anything in that target user profile for a limited time (usually 5-30 seconds) before the lock screen don’t reappear“. While it may seem very useless, it may be enough to install malware.
The prerequisites to make the glitch work
Fortunately, certain conditions restrict the exploitation of the flaw. Requires physical access to the device, which must be running Android 10, 11, or 12.with security patch levels prior to June 5, 2022“. A good reminder to make is that you have to update your devicesincluding security updates.
On top of that, three-button navigation must be enabled, not gesture navigation. Next, “lock screen must be enabled“, like the multi-user function, with at least two users, even if one is a profile”guest».
To follow us, we invite you to download our app for Android and iOS. You can read our articles, archives and watch our latest YouTube videos.