Earlier this month Google released a security update to address 8 CVEs (defined) (2x critical severity, 4x high, 1x moderate, 1x low) within the Android smartphone operating system.
Among these issues was an Android lockscreen bypass. This issue involved entering a very large number of characters into the password prompt of the Android lockscreen when the Camera app is also open.
How Severe Is This Issue?
Google assigned it a moderate severity since it is an easy but tedious process to exploit this bug. In addition, this issue is only present if you are using a password to protect the lockscreen of your Android smartphone. More common methods of entering a PIN or using a pattern lock do not appear to be affected by this issue.
Moreover once exploited the attack will only have access to the apps on the home screen, they don’t obtain access to soft buttons or the keyboard. The security researcher who reported this issue to Google used Android Debug Bridge (adb) to access any data on the phone once it was in this partially unlocked state. Further discussion of this issue is provided in this Sophos blog post.
How Can I Protect Myself From This Issue?
Google released an over the air security update for its Nexus devices to fix this lockscreen (as well as other security issues). Please ensure that your Android device is running version 5.x (build LMY48M or later) to resolve this and the other security issues.
If your mobile carrier has not yet issued this update to your Android phone, please consider contacting them to check when this update will be issued to you and if possible find out how they plan on updating your phone each month as Google make updates available.