Security Flaw in Viber: Full Access to your Phone

Viber user? Your phone is at serious risk. A security flaw has been exposed in the popular voice-calling app that allows full access to your smartphone, bypassing any lock or security feature that you may have enabled on the device.

Viber is a VoIP app available for Android, iOS, Windows Phone and BlackBerry, known for its quality voice-calling feature.

The exploit can be accessed on a number of Android smartphones – Samsung, HTC, Sony, any model basically. It is also a cause for concern because Viber has been downloaded more than 100 million times – there are too many devices at risk out there. Viber itself claims to be adding 400,000 new users everyday. It recently launched its calling feature on BlackBerry after months of expectations.

The security flaw was discovered by researchers at security firm Bkav, and can be exploited by sending a few messages from any phone to your target device. Although methods differ slightly depending on your device, the loophole essentially takes advantage of the pop-up feature Viber employs for new incoming messages. Bkav’s Security Division highlights the following steps to pull off the exploit:

1. Send Viber message to victim

2. Combine actions on Viber message popups with tricks like using victim’s notification bar, sending other Viber messages, etc. to make Viber keyboard appear

3. Once Viber keyboard has appeared, to fully access the device, create missed call to victim (with HTC Sensation XE), press Back button (with Google Nexus 4, Samsung Galaxy S2, Sony Xperia Z), etc.

The problem stems from the fact that upon installation, Viber requires permissions for certain actions on your phone. In this case, it’s the ability to “disable your screen lock”. You can’t install Viber without allowing this permission, and thus there’s no fix here.

A spokesperson for Viber acknowledged the flaw and said the company, Viber Media, has fixed the flaw in an update that should be pushed to the Play Store by next week.

The way Viber handles to popup its messages on smartphones’ lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear.  – Mr. Nguyen Minh Duc, Director, Bkav’s Security Division.

Here’s a video of the Viber hack being pulled off on a Nexus 4:

[youtube https://www.youtube.com/watch?v=JQhNMJpAlto]

Viber representatives have apparently fixed the issue, and an updated version is available from their website here. It hasn’t hit the Play Store yet, and we don’t know how soon that’ll happen. Until then, disabling the pop-up notification in Viber could be the least you could do.