It’s been a big week for phone security exploits. This time, it’s recommended you grab the latest Android update to fix an exploit capable of bypassing a device’s lock screen.
Fresh off the recent iPhone remote access vulnerability, an accidental discovery revealed an Android bug with devastating consequences. David Schütz, a cybersecurity researcher who investigates security flaws, found he could skip past a phone’s lock screen using a SIM card loophole.
In a process Schütz documented in a blog post, bypassing the lock screen required failing the SIM PIN input multiple times, followed by entering the card’s personal unlocking key (PUK) and then setting a new PIN. Replicated multiple times, the process resulted in direct access to a phone’s home screen, skipping any biometric lock screen requirements. He produced the vulnerability on both a Google Pixel 6 and Google Pixel 5 phone. However, the relevant fix rolled out to devices running Android operating systems 10, 11, 12, 12L, and 13, meaning it may have impacted more than just Pixel devices. It also raises questions about whether a security-centric feature like Samsung’s Maintenance Mode would’ve prevented pre-fix phones from such a technique.
Schütz then filed a report with Google via a bounty program that rewards people for finding exploits, although a fix took months to eventuate. 150 days passed between the initial report and the post-fix disclosure, a significant window of time for such a security flaw. There was a bit of back-and-forth between Schütz and the Android Security Team at Google that ultimately resulted in a US$70,000 bounty payment for his work.
How to download and install an Android update
On Android devices, you can download separate updates for the operating system, security, and the Google Play system. To install security updates, open Settings, tap Security and then Google Security checkup. This will guide you through the installation process if updates are available.
Although the exploit required having physical access to a phone, it could’ve been used by thieves with access to others’ devices had it not been addressed. Fortunately, the 7 November Android security update solved the issue.
This, combined with the recent iOS update is a timely reminder to keep your devices updated. Aside from new features, many software updates contain important security fixes to protect your devices.