Amid a troubled security year for Android (including the Stagefright bug found in April), earlier this month Google released the Android 5.1.1 build LMY48M on September 9, containing a fix for a vulnerability that had been discovered in June by John Gordon, security analyst at the University of Texas’ information security office. The bug, which affects devices running any version of Android 5.0 to 5.1.1 Lollipop, allows someone with physical access to the device to bypass the password lockscreen, thus gaining full control over the device. All it involves is the attacker entering a long enough sequence of symbols in the password field while the camera app is running, causing the device to crash to the home screen. Prior to the new build release, Google had marked the exploit as ‘moderate’ in August, and released a patch, though only for their Nexus devices. In light of the issues facing the operating system, moreover, the company announced the Android bug bounty program, which offers cash incentives for researchers who report any flaws they find in the OS.
By: Jonathan Weicher