OFFICIAL SECURITY BLOG
December 5, 2013 | BY Armando Orozco
Security company Curesec disclosed a vulnerability that disables the lock screen in Android 4.3 Jelly Bean. Android 4.3 is Google’s most widely distributed version of their mobile operating system — about 54.5 percent of Android users are on Jelly Bean.
When a user changes the lock type, they are required to enter the lock/PIN of the previous one, if a malicious app were to target this vulnerability it could bypass this check altogether.
The Curesec’s blog discloses the bug, includes some proof of concepts (PoC) and code examples. One such PoC is an Android app that allows you to remove locks in one click or set on timer.
Curesec attempted to contact Google about this bug, but Google became unresponsive to their queries which led Curesec to publicly disclose.
The company said are also checking if vulnerability exists in other version of Android.
This is just another example of the lock screen challenges mobile device and operating system developers are running into. It seems every iteration has a new vulnerability introduced or an existing one uncovered.
Although there are some ways of bypassing the lock screen on your mobile device, we here at Malwarebytes still encourages using a security lock as a first line of defense.