Android Bug Removes Lock Screen

Android Bug Removes Lock Screen

Security company Curesec disclosed a vulnerability that disables the lock screen in Android 4.3 Jelly Bean. Android 4.3 is Google’s most widely distributed version of their mobile operating system — about 54.5 percent of Android users are on Jelly Bean.

Android has a few options when it comes to locking your device: PIN, pattern, or facial recognition. The security hole lies in the Java class that handles which lock type is used.

lockscreen_vuln4.3_01a

When a user changes the lock type, they are required to enter the lock/PIN of the previous one, if a malicious app were to target this vulnerability it could bypass this check altogether.

The Curesec’s blog discloses the bug, includes some proof of concepts (PoC) and code examples. One such PoC is an Android app that allows you to remove locks in one click or set on timer.

lockscreen_vuln4.3_02a

Curesec attempted to contact Google about this bug, but Google became unresponsive to their queries which led Curesec to publicly disclose.

The company said are also checking if vulnerability exists in other version of Android.

This is just another example of the lock screen challenges mobile device and operating system developers are running into. It seems every iteration has a new vulnerability introduced or an existing one uncovered.

This isn’t isolated to Android,  iOS has had their share of screen lock issues.

Although there are some ways of bypassing the lock screen on your mobile device, we here at Malwarebytes still encourages using a security lock as a first line of defense.

ABOUT THE AUTHOR

Armando Orozco

Senior Malware Intelligence Analyst

Faux geek who likes to keep it bland. Experienced in behavioral, PC, and mobile technologies.