Massive Android lock screen bug lets attackers access your photos and other personal data — how to stay safe

Android 14
(Image credit: Tom's Guide)

Even though we mainly worry about hackers compromising our devices through malware or malicious apps, a newly discovered bug could allow an attacker with physical access to one of the best Android phones to look at photos, contacts, browsing history and other personal data stored on a device.

As reported by Security Affairs, a security researcher by the name of Jose Rodriguez has found a new lock screen bypass vulnerability that affects smartphones running Android 13 or Android 14

After asking on social media whether or not it was possible to open a Google Maps link from his phone’s lock screen, Rodriguez found that he was able to do so by exploiting a vulnerability.

To make matters worse, Rodriguez claims that he reported the issue to Google back in May of this year and now six months later, it has yet to be patched. Hopefully the search giant addresses this bug soon, but in the meantime here’s everything you need to know about this lock screen bypass bug along with what you can do right now to minimize its impact.

Using Google Maps to access your data

The way in which an attacker can exploit this vulnerability to access the data stored on your smartphone depends on how you have Google Maps configured.

For those that do not have Driving mode activated, an attacker can access your recent and favorite locations (like home and work) as well as your contacts. From here, they can also share the location of your phone in real time with any of your contacts or via an email that they need to enter manually.

If you do have Driving mode activated though, an attacker can chain together this exploit with another one to access photos stored on your device, and they can also publish them or add them as a profile image to your Google Account. At the same time, the attacker can also access extensive information about your account and how it’s configured. However, there is also the possibility that they can gain full access to your Google Account from a second device — Rodriguez is still looking into that part.

While uninstalling Google Maps from your phone would prevent an attacker from using this lock screen bypass bug to their advantage, since it’s a system app, it can’t be uninstalled. 

In an email to Tom's Guide, a Google spokesperson revealed that "we are aware of this reported issue, and we are working on a fix." However, we still don't have a timeline for when it could roll out to affect Android smartphone users.

How to keep your Android smartphone safe from attacks

A hand holding a phone securely logging in

(Image credit: Google)

Based on what we know so far about this lock screen bypass bug, those who are really concerned about an attacker gaining access to their Android smartphone should consider disabling Driving mode in Google Maps for the time being. While we don’t have our own guide on this process, this support document from Google lays out exactly what you need to do to enable or disable Driving mode.

It’s worth noting though that an attacker still needs physical access to your smartphone to exploit this bug. For that reason, if you don’t let your phone out of your sight, you should be okay until a patch to fix this issue rolls out. This means that you want to avoid leaving your phone on the table when out to eat as an attacker could take it right off the table. Likewise, when using your phone in public, you want to be aware of your surroundings as someone could come along and snatch it out of your hands.

When it comes to cyber attacks and other ways hackers can break into your phone online, the best Android antivirus apps can help keep you safe from malware, malicious apps and other threats. If you’re on a tight budget though, you want to make sure that Google Play Protect is enabled on your device as it can also scan all of your existing apps and any new ones you download for malware.

This lock screen bypass bug is quite serious and as it even applies to the latest version of Android, Google is already working on a fix that could be rolled out soon.

More from Tom's Guide

TOPICS
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.