How a rogue app can turn off all device locks on your Android smartphone

Graham Cluley

Researchers have found a serious security hole in Android 4.3 Jelly Bean, that can allow a rogue application to bypass the targeted device’s security, turning off the various security locks.

The CureSec research team, who uncovered the vulnerability, have explained that a malicious Android app can not only disable security options such as facial recognition, PIN codes and gesture locks, but have produced a proof-of-concept app and published source code demonstrating the flaw.

Unlock proof-of-concept Android app

The vulnerability in the Jelly Bean version of the Android operating system allows the malicious app, without any special permissions, to disable the normal security mechanism. Normally, of course, to change such security options, the person changing the settings would need to verify their identity by entering the existing password.

Oh dear oh dear oh dear.

CureSec discovered the bug (dubbed CVE-2013-6271) back in October and reported it to Google.

The good news is that Google has included a fix for the security vulnerability in Android 4.4 Kit Kat.

The bad news is that most people aren’t running Android 4.4 Kit Kat. In fact, the vast majority are stuck on Jelly Bean.

Once again, I feel obliged to remind Android users, to be very careful what apps they install on their devices. It’s becoming more and more common to encounter malicious Android apps – both outside and inside the Google Play store.

The Android platform is nothing like as well policed by Google as the vetting Apple does to protect its iOS users.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

3 Replies to “How a rogue app can turn off all device locks on your Android smartphone”

  1. I'm trying to figure out the real-world use case for an exploit like this. The attacker convinces a user to install a rogue app, which disables the lock screen and… what? Then sends someone to steal the phone? I guess there are some very specific espionage scenarios where this might be feasible, but it's not exactly the most frightening payload I've seen.

    1. There are probably a few scenarios.

      But here's one: jealous boyfriend/girlfriend/spouse.

      They already have physical access to your Android smartphone, but can't (without rousing suspicion) ask you what your PIN code is, or gain access to the messages you might have been sending to a secret lover.

      So, they suggest you install this "great game" instead. And bingo.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES