In September, Google added it remote locking device in its management Android, allowing users to lock their phone if stolen or lost.
The mechanism allows the user to bypass the existing device lock system and set a rough system password for better better safety.
But recently, the Curesec, a research team by Germany he's got discover an interesting vulnerability ( CVE-2013-6271 ) on Android 4.3 which allows a rogue application toslowto all existing locks on the device that have been activated by its owner.
"There is a bug in "Com.android.settings.ChooseLockGeneric class". This class is used to allow the user to modify its type lockof mechanism that the device should have.” says the CRT team on the blog post
Android OS has many mechanisms to lock and unlock the device such as PIN, Password, gesture, and even face recognition, though most of them half users do not use them. However, for each amendment to settings password, the device asks the user to confirm the previous lock.
But if a malicious application is installed on the device, it could take advantage of the defect to unlock the device without knowing the previous code. Attackers can take advantage of this issue to bypass certain security restrictions to perform unauthorized actions.
