A critical flaw in an Android app downloaded as many as 100 million times allows attackers to take full control of handsets even when they're protected by screen locks.

The vulnerability in the Skype rival known as Viber affects Android smartphone brands such as Samsung, Sony, and HTC, according to a blog post published Tuesday by Bkav Internet Security. Although attack techniques differ from model to model, they all exploit programming logic in the way Viber handles popup messages, researchers with the company wrote.

A spokesman Viber Media, maker of the affected app, said company officials learned of the vulnerability on Wednesday and plan to release a fix next week.

"In the meantime, anyone concerned about this issue can resolve it by disabling Pop-up Notifications in the Android version of Viber," Viber said in a statement issued to Ars. "This can be done by going to Viber Settings and choosing to disable—'New Message Pop-Up.'"

In the past few months, several bugs discovered in Android and iOS smartphones have allowed people with physical access to bypass screen locks. People rely on them to keep their e-mails, contacts, and other sensitive information private in the event their mobile devices are lost or stolen. Frequently, the vulnerabilities reside in a specific piece of hardware.

As the above videos demonstrate, the latest vulnerability affects a variety of handsets as long as they have Viber installed. Steps for exploiting the bug involve sending a Viber message to the target handset, using the notification bar of the target handset to make the Viber keyboard appear, and then manipulating model-specific features to bypass the screen lock. According to Google Play, where Viber for Android is available, the app has been downloaded anywhere from 50 million to 100 million times. When iOS and Blackberry owners are counted, the company said in February it had 175 million users—up from 140 million users in December. There's no indication non-Android smartphones contain the same bypass vulnerability yet.