Google issued its first monthly Android security patch for Nexus devices a few days ago, and one of the items in the changelog was quite interesting. Google patched a lock screen. You need that text field because the hack relies on pasting text.
However ,even though the patch has been deployed, many reports are treating this as an apocalyptic security problem for Android. But that’s all due to a fundamental misunderstanding of how Android works.
The flaw in question was discovered by University of Texas researchers and relies on the password field on the lock screen. So right off the bat, this vulnerability only applies if you’re using a password lock method, because it has a text field. A pattern or PIN lock does not present such a field, even if you enter your code incorrectly multiple times. You need that text field because the hack relies on pasting text into that field to crash the lock screen.
You can see in the video below how the hack works. It’s a legitimate lock screen bypass, but it takes a few minutes to execute. Basically, you need to paste long strings of text into the field repeatedly, but only when accessed from the lock screen’s camera interface. Eventually, the camera and lock screen will both crash, and the phone dumps you on to the home screen. Whoops. From that point, you have full access to the phone until you lock it again. You can do things like enable USB debugging or authorize a bootloader unlock without any trouble.
Google has patched Nexus devices with build LMY48M and noted that there were no active exploits of this vulnerability in the wild. However, many of the news reports on this issue have pointed out with hyperbolic concern that there are still about one-fifth of Android devices from Samsung, LG, and others running un-patched versions of 5.x. What these hysterical warnings fail to take into account is that none of those phones were vulnerable in the first place.
The flaw relies entirely upon a stock build of Android like you’d find on Nexus devices. All other OEMs have modified lock screens and camera apps. Many also have their own keyboards that don’t work with the bug. Just to make sure, I’ve tested a Samsung Galaxy S6, LG G4, and 2015 Moto G, and none of them seem to be vulnerable. You can’t paste into the password field at all. So what does this mean? Virtually every device with this bug has been fixed, and there’s no need to panic.
