Curesec experts reported the vulnerability to Google in October 2013

Dec 3, 2013 12:26 GMT  ·  By

Security researchers from Curesec warn that a vulnerability in Android Jelly Bean (4.3) can be exploited by cybercriminals to remove all device locks, such as PINs, passwords, gestures and face recognition.

According to experts, the security hole can be leveraged with the aid of rogue apps installed on the device. Curesec says it has come forward with its findings since the Android Security Team has stopped responding to their inquiries and the issue remains unpatched.

“The bug exists on the ‘com.android.settings.ChooseLockGeneric class.’ This class is used to allow the user to modify the type of lock mechanism the device should have,” researchers noted in their advisory.

This class contains a piece of code that requires the user to enter the previous lock in order to change settings. For example, if the PIN is changed, the old one must be entered.

However, the vulnerability identified by experts can be exploited to control if the confirmation to change the lock mechanism is enabled or not.

The issue was reported to Google on October 11, 2013. After the initial response, which came the second day, the company stopped responding to Curesec’s emails.

The IT security firm has even published an app to demonstrate their findings. The POC application is capable of removing locks instantly or at a time defined by the user.

It appears that only Android 4.3 is impacted by the issue. However, that’s enough considering that Jelly Bean is currently installed on over half of all Android devices.

Additional technical details, including the POC app, are available on Curesec’s blog.