A vulnerability in Android could allow attackers to “unlock” phones without cracking PIN codes – using malware to deactivate Google’s locks on handsets and tablets. The vulnerability can “turn off” all locks a user puts in place – including PIN codes, passwords and face recognition.
The vulnerability, found by German researchers Curasec, affects Android Jelly Bean – an older version of Google’s software. Google has since fixed the issue in newer versions of the OS – but it remains active in Jelly Bean.
Around a third of Android devices still ran Jelly Bean as of July this year, according to Android Central. In September, Google announced that one billion Android devices had been activated – so the number of handsets at risk from malware targeting this vulnerability is liable to be tens or hundreds of millions.
Curasec wrote in its blog post, “Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin).
The German researchers found that executing code could unblock the device. “As a result, any rogue app can at any time remove all existing locks,” they write. To demonstrate, the researchers created an app that removed locks, hosted on their blog.
Android’s fragmentation – the sheer number of different versions in use – has previously led to problems, such as the widely reported Blue Box vulnerability, which affected older handsets, as reported by We Live Security here.
ESET Senior Research Fellow Righard J. Zwienenberg wrote at the time: “The biggest problem for consumers is the enormous number of old phones running Android that are still in use, for which the operators will not release a new version. Many phones still run the very popular, but outdated, Gingerbread Android platform. Regardless of whether Google releases patches for these versions, the phones will remain vulnerable.”
SC Magazine, which reported Curasec’s finding, said that the company claimed to have contacted Google on several occasions, and only “went public” after receiving no reply.
The company said it reported the issue to Google on 11 October and received a response the following day. But after Curesec asked Google for feedback three times during October and November, it eventually went public on the problem on 27 November.
While Curasec’s discovery is alarming, it still relies on installing malware on the device. A We Live Security guide to using Android safely – and avoiding ‘bad’ apps – can be found here.
Author Rob Waugh, We Live Security