In September, Google added it remote locking device in its management Android, allowing users to lock the phone them, if stolen or lost.
The mechanism allows the user to bypass the existing device lock system and set a schematic system password for better security.
But recently, the Curesec, a research team from Germany has discover an interesting vulnerability ( CVE-2013-6271 ) in Android 4.3 which allows a rogue application to remove all existing locks on the device that has been activated by its owner.
"There is a bug in "Com.android.settings.ChooseLockGeneric class". This category usesto allow the user to modify the type of mechanism lock that the device should have." says the CRT team on the blog post
Android OS has many mechanisms to lock and unlock the device such as PIN, Password, gesture, and even face recognition, though most of them half users do not use them. However, for any modification to the settings code access, the device asks the user to confirm the previous lock.
But if a malicious application is installed on the device, it could take advantage of the defect to unlock the device without knowing the previous code. Attackers can take advantage of this issue to bypass certain security restrictions to perform unauthorized actions.