A vulnerability in Android Jelly Bean (4.3) can end up exploited to the point where attackers could remove all device locks, like passwords, gestures, face recognition and PINs.
Attackers could take advantage of the security hole with the aid of rogue apps installed on the device, said researchers at security company Curesec.
The security firm came forward with its findings since the Android Security Team stopped responding to their inquiries and the issue remains unpatched.
“The bug exists on the ‘com.android.settings.ChooseLockGeneric class.’ This class is used to allow the user to modify the type of lock mechanism the device should have,” researchers said in their advisory.
This class contains a piece of code that requires the user to enter the previous lock in order to change settings. For example, if the user wants to change the PIN, he or she must enter the old one.
However, an attacker can exploit the vulnerability if the confirmation to change the lock mechanism ends up enabled or not.
Researchers reported the issue to Google October 11. After the initial response, which came the second day, the company stopped responding to Curesec’s emails.
The IT security firm has even published an app to demonstrate their findings. The POC application is capable of removing locks instantly or at a time defined by the user.
It appears that only Android 4.3 suffers from the issue. However, that’s enough considering that Jelly Bean is currently installed on over half of all Android devices.
Additional technical details, including the POC app, are available on Curesec’s blog.