Researchers have found a serious security hole in Android 4.3 Jelly Bean, that can allow a rogue application to bypass the targeted device’s security, turning off the various security locks.
The CureSec research team, who uncovered the vulnerability, have explained that a malicious Android app can not only disable security options such as facial recognition, PIN codes and gesture locks, but have produced a proof-of-concept app and published source code demonstrating the flaw.
The vulnerability in the Jelly Bean version of the Android operating system allows the malicious app, without any special permissions, to disable the normal security mechanism. Normally, of course, to change such security options, the person changing the settings would need to verify their identity by entering the existing password.
Oh dear oh dear oh dear.
CureSec discovered the bug (dubbed CVE-2013-6271) back in October and reported it to Google.
The good news is that Google has included a fix for the security vulnerability in Android 4.4 Kit Kat.
The bad news is that most people aren’t running Android 4.4 Kit Kat. In fact, the vast majority are stuck on Jelly Bean.
Once again, I feel obliged to remind Android users, to be very careful what apps they install on their devices. It’s becoming more and more common to encounter malicious Android apps – both outside and inside the Google Play store.
The Android platform is nothing like as well policed by Google as the vetting Apple does to protect its iOS users.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “How a rogue app can turn off all device locks on your Android smartphone”
I'm trying to figure out the real-world use case for an exploit like this. The attacker convinces a user to install a rogue app, which disables the lock screen and… what? Then sends someone to steal the phone? I guess there are some very specific espionage scenarios where this might be feasible, but it's not exactly the most frightening payload I've seen.
There are probably a few scenarios.
But here's one: jealous boyfriend/girlfriend/spouse.
They already have physical access to your Android smartphone, but can't (without rousing suspicion) ask you what your PIN code is, or gain access to the messages you might have been sending to a secret lover.
So, they suggest you install this "great game" instead. And bingo.
Yeah, fair enough. Though I'd probably just shoulder surf to learn the password/PIN. :)