(Credit: Tom McNamara/Download.com)

The year 2018 taught us a lot about the security of our personal data -- namely, that social networks may harvest it and sell it to political groups who can use it to manipulate your decisions at the voting booth -- and perhaps 2019 will teach us more about the security of the devices where that data is located.

Today, The Register reports on a Skype for Android security flaw discovered by Kosovar bug researcher Florian Kunushevci, who determined that an incoming Skype call doesn't trigger the operating system's lock screen security mechanisms. At the ripe age of 19, Kunushevci is single-handedly finding loopholes that evade entire teams of highly paid experts who may be twice his age.

SEE: Best Skype alternatives for video and voice calls

And he didn't even have to mess with programming code. He simply noticed that an incoming Skype call gives you access to the entire Skype app no matter what method you use to lock your Android device's screen, and full access to the internet if the call contains a link that you can open in a web browser.

Although this bug only affects Skype and whatever web browser you open from within it, the implications are pretty serious, as it reveals a lack of checks and balances within Android itself. While The Register reports that Microsoft was notified of the issue in October and created a patch December 23, one might wonder how the operating system doesn't appear to notice that a basic security mechanism is not being activated.

With this bug present, someone can access your Skype account and its photos, texts and call logs just by being in possession of your phone at the time of an incoming Skype call. If they know your Skype number as well, they can use this info to trigger the bypass themselves. So certain conditions have to be met to exploit the flaw -- but they also require much technical knowledge.

FOLLOW Download.com on Twitter for all the latest app news.

Either way, it can take a few weeks for a patch to roll out, so you might not have the update yet. If you open the Google Play product page for Skype on your Android device, and the "What's New" section says "Last updated Dec 11, 2018," then you do not have the fix. You need the update that came out December 23.

If you don't have the update, and you're concerned about your security or privacy, you may want to consider uninstalling Skype until the December 23 patch appears on the product page as viewed on your phone. In the meantime, alternatives include WhatsApp, Facebook Messenger and Instagram. And if you don't need group video chat support, then there's always the free Google Duo.


  • A Kosovar bug researcher recently discovered that the Android version of Skype lets incoming calls bypass the lock screen and grant full access to the app.
  • If a call contains a link to a website, that link can also be tapped on to open and gain control of the device's web browser.
  • Microsoft patched the flaw on December 23, but the update may not have rolled out to your device yet.

Read more

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.