A 19-year old bug hunter has identified a flaw in the Android version of Microsoft’s Skype app, which is exploited can help the attacker access various app functions without needing to go through passcode verification for unlocking the phone. Once the phone is unlocked, the attacker can view everything from contacts to photos, send SMS messages and may also open browser windows.
Florian Kunushevci, the bug hunter who identified the vulnerability (CVE-2019-0622), claims that a person owning Android phone can receive a Skype call without even unlocking the phone apart from accessing other data. This flaw is indeed going to help pranksters, malicious threat actors, and identity thieves as it has great potential for exploitation. Kunushevci identified the flaw while he was using the Skype app for Android and discovered something unusual in the way the app was accessing local files on the phone while making VoIP calls.
“One day I got a feeling while using the app that there should be a need to check a part which seems to give me other options than it should. Then I had to change the way of thinking as a regular user into something that I can use for exploitation,” explains Kunushevci.
Kosovo-based Kunushevci also demonstrated the method in a YouTube video that shows how someone having the possession of an android phone can receive a Skype call without unlocking the handset. There is a link between the Skype call and the unlocking of the phone because as soon as the call is received, the person can easily access all the data that is stored on the phone.
Kunushevci identified that when he answered a Skype call, a number of phone app functions such as photo-sharing and contacts became accessible despite the fact that the phone was locked. The reason is a slight glitch in the system’s security, which Kunushevci claims is “more of bad design and also a bug in coding. I think to put it all together, humans make mistakes.”
Microsoft was notified about the vulnerability in October and it was fixed in the new Skype version released on December 23, 2018. Now, the vulnerability has been exposed to public and users are urged to install the new version of update the existing Android Skype app in their mobile phones to ensure maximum security.
The patch is available in all Skype versions over the number 126.96.36.1996. To update, follow these steps:
Tap the Google Play icon on your home screen.
Swipe in from the left edge of the screen.
Tap My apps & games.
Tap the Update box next to the Skype app.