Two security vendors have released temporary fixes for a flaw in some Samsung Android phones that could allow an attacker to bypass a locked screen.
The problem comes from Samsung's implementation of the emergency call feature, which allows people to dial emergency services or reveals a contact people can dial if they find someone's phone, said David Richardson, a product manager at Lookout Mobile Security.
[ Understand how to both manage and benefit from the consumerization of IT with InfoWorld's "Consumerization Digital Spotlight" PDF special report. | Subscribe to InfoWorld's Consumerization of IT newsletter today. ]
Lookout and Bkav Mobile Security have issued updates in their products to temporarily fix the flaw.
Samsung configured the emergency call function in such a way that it appears to briefly unlock the phone, Richardson said.
The flaw is serious since it means anyone who lost their phone is at risk of having their phone's data accessed. The number of devices affected isn't known, but Richardson said Lookout found it affects the Galaxy S3, the S3 Mini and Note II running Samsung's implementation of Android Jelly Bean.
There appear to be a few variations of the flaw, which was first reported earlier this month by Terence Eden, a developer community manager based in the U.K. with InMobi, a mobile advertising agency.
Eden wrote of another flaw he found on Wednesday. In a demonstration using a Galaxy Note II running Android 4.1.2, Eden quickly fiddles with the emergency call function and eventually downloads an application from Google's Play store that removes the locking function on the phone.
"This is a very tricky procedure," Eden said.
Richardson said the most severe variation can allow persistent access to the device until the phone is rebooted. Samsung has not patched the issue yet.
When Samsung issues a patch, Richardson said Lookout can disable its fix. Samsung officials could not be immediately reached for comment.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk.