How a rogue app can turn off all device locks on your Android smartphone

Graham Cluley
Graham Cluley
@[email protected]

Researchers have found a serious security hole in Android 4.3 Jelly Bean, that can allow a rogue application to bypass the targeted device’s security, turning off the various security locks.

The CureSec research team, who uncovered the vulnerability, have explained that a malicious Android app can not only disable security options such as facial recognition, PIN codes and gesture locks, but have produced a proof-of-concept app and published source code demonstrating the flaw.

Unlock proof-of-concept Android app

The vulnerability in the Jelly Bean version of the Android operating system allows the malicious app, without any special permissions, to disable the normal security mechanism. Normally, of course, to change such security options, the person changing the settings would need to verify their identity by entering the existing password.

Sign up to our free newsletter.
Security news, advice, and tips.

Oh dear oh dear oh dear.

CureSec discovered the bug (dubbed CVE-2013-6271) back in October and reported it to Google.

The good news is that Google has included a fix for the security vulnerability in Android 4.4 Kit Kat.

The bad news is that most people aren’t running Android 4.4 Kit Kat. In fact, the vast majority are stuck on Jelly Bean.

Once again, I feel obliged to remind Android users, to be very careful what apps they install on their devices. It’s becoming more and more common to encounter malicious Android apps – both outside and inside the Google Play store.

The Android platform is nothing like as well policed by Google as the vetting Apple does to protect its iOS users.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “How a rogue app can turn off all device locks on your Android smartphone”

  1. Maxim Weinstein

    I'm trying to figure out the real-world use case for an exploit like this. The attacker convinces a user to install a rogue app, which disables the lock screen and… what? Then sends someone to steal the phone? I guess there are some very specific espionage scenarios where this might be feasible, but it's not exactly the most frightening payload I've seen.

    1. There are probably a few scenarios.

      But here's one: jealous boyfriend/girlfriend/spouse.

      They already have physical access to your Android smartphone, but can't (without rousing suspicion) ask you what your PIN code is, or gain access to the messages you might have been sending to a secret lover.

      So, they suggest you install this "great game" instead. And bingo.

  2. Maxim Weinstein

    Yeah, fair enough. Though I'd probably just shoulder surf to learn the password/PIN. :)

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.