Answering a Skype call allows taking control of any Android smartphone

It seems that the last Skype update fixed this flaw

Cybersecurity and ethical hacking specialists from the International Institute of Cyber Security reported the finding of a flaw in the Android version of Skype, which could be exploited to bypass the access code entry of an Android device to access files, contacts, and even open the device’s browser.

Florian Kunushevci, vulnerability bounty hunter, mentioned that this flaw would allow people in possession of an Android smartphone to receive Skype calls, answer them without the need to unlock the device, and even access photos, search the contacts list, send text messages, and even open the browser if a link to any page is attached. Anyone could exploit this vulnerability, be they family, friends, or strangers. The flaw has already been reported to Microsoft.

Kunushevci, a young researcher from Kosovo, claims to be a common user of Skype for Android. It was during this routine use that he detected an anomalous behavior in the application related to the way in which it accesses the files stored in the smartphone. Noticing this, the investigator decided to start a small ethical hacking project to find out what was happening with the Skype service.

“Recently, while I was using the application, I felt the need to check an option that apparently granted more permits than it should,” said the young cybersecurity expert.

Kunushevci discovered that when a Skype call is answered, the application continues with its normal operation, allowing actions such as access to the phone’s files or search for contacts, regardless of whether the phone was blocked or not when the call was received.

Just like multiple flaws found in the iOS system over the years, this vulnerability is due to a slight oversight in system’s security. In this case, Skype allows users to access other functions by omitting any additional step of identity verification. “I think this vulnerability is rather a design flaw,” the expert mentions.

Before posting any vulnerability report, Kunushevci reported the flaw to Microsoft, waiting for the company to launch an update to correct this bug. According to reports of experts on cybersecurity, this would have been corrected in the Skype update last December 23. The bug affects all versions of Skype for Android, according to Kunushevci. However, the vulnerability’s scope seems to vary depending on the version of the operating system.

Despite being only 19 years old, Kunushevci claims to have several years of experience in researching these issues. As he mentioned, his interest started from the age of 12 when he was looking for solutions for common flaws on his PC. A couple of years later, he was already fully focused in the field of vulnerability research, accessing some bounty programs for his reports.