Android lock screen vulnerability could give attackers complete access to your phone — what to do

Android lock screen vulnerability
(Image credit: i_am_zews/Shutterstock)

Attention, Android users — you need to update your phone.

According to Bleeping Computer (opens in new tab), there is a way to completely bypass the Android lock screen on your phone, even on Android 13 smartphones. This vulnerability was discovered by cybersecurity researcher David Schütz (opens in new tab), who managed to accidentally bypass the lock screen on his Pixel 6 when unintentionally locking his SIM card. The only caveat to this vulnerability is the phone needs to have been unlocked once since its last reboot. It is also unclear if this exploit can work on a device that is using an eSIM, but it seems that it can work on any Android phone with a physical SIM slot. 

The good news is that Google is aware of the issue and has already fixed this vulnerability in its November 7 security update. So as long as you have that installed, you should be good to go. The flaw affects devices running Android 10 or later, so if you have an Android device you should make sure you have all the latest updates. The bug was only found on Google Pixel 6 and Google Pixel 5, but there’s nothing that indicates that the issue is inherently limited to Pixel phones. If you have any Android phone, just play it safe and update. 

Android lock screen bypass: How it works 

The Android lock screen bypass is relatively simple. Basically, anyone who has physical access to the phone and an extra SIM card can do it. 

Once the device’s screen is put to sleep, try to wake it up and unlock it. Since you don’t have the correct fingerprint or PIN this won’t work. Once you fail enough times the device will temporarily disable further attempts to unlock it.

Here’s where the exploit comes in. Once that temporary unlock disable is active, all the attacker needs to do is remove your SIM card and insert a SIM card of their own. After that, they just need to incorrectly enter the SIM PIN until the phone prompts them to enter the Personal Unlock Code/Personal Unlocking Key (POC/PUK). As long as the attacker enters the POC/PUK correctly they will then be prompted to enter in a new PIN for the SIM card. Once they set that PIN, the phone unlocks, giving the attacker full access to the device.

Again, this potentially affects all the latest and best Android phones, even though the vulnerability was discovered on a Google Pixel 6. So make sure, even if you bought a brand new device, to update to the latest version of Android and get the November 7 security patch. 

Malcolm McMillan
News Writer

Malcolm McMillan is a News Writer for Tom's Guide. Before writing for Tom's Guide, he worked many retail jobs and many Black Fridays, including a stint for Microsoft. He is passionate about video games and sports, though both cause him to yell at the TV frequently. In his spare time, Malcolm is a fantasy football analyst. He proudly sports many tattoos, including an Arsenal tattoo, in honor of the team that causes him to yell at the TV the most.