Researchers have found a serious security hole in Android 4.3 Jelly Bean, that can allow a rogue application to bypass the targeted device’s security, turning off the various security locks.
The CureSec research team, who uncovered the vulnerability, have explained that a malicious Android app can not only disable security options such as facial recognition, PIN codes and gesture locks, but have produced a proof-of-concept app and published source code demonstrating the flaw.
The vulnerability in the Jelly Bean version of the Android operating system allows the malicious app, without any special permissions, to disable the normal security mechanism. Normally, of course, to change such security options, the person changing the settings would need to verify their identity by entering the existing password.
Oh dear oh dear oh dear.
CureSec discovered the bug (dubbed CVE-2013-6271) back in October and reported it to Google.
The good news is that Google has included a fix for the security vulnerability in Android 4.4 Kit Kat.
The bad news is that most people aren’t running Android 4.4 Kit Kat. In fact, the vast majority are stuck on Jelly Bean.
Once again, I feel obliged to remind Android users, to be very careful what apps they install on their devices. It’s becoming more and more common to encounter malicious Android apps - both outside and inside the Google Play store.
The Android platform is nothing like as well policed by Google as the vetting Apple does to protect its iOS users.