The researchers who discovered a serious vulnerability in Android 4.3 Jelly Bean that enables a malicious app to disable the security locks on a vulnerable device have published a proof-of-concept app that exploits the bug, as well as source code for the app.

The vulnerability in question lies in the way that Jelly Bean handles the flow of requests when a user attempts to change one of the many security locks in the operating system. If a user goes in to change, for example, the gesture lock, Android will ask the user to confirm her PIN code or another security mechanism. The vulnerability enables a malicious app to disable this check and all of the security locks in the OS. Researchers at Curesec in Germany discovered the bug in October and reported it to Google, which included a fix in Android 4.4 Kit Kat.

However, Android 4.3 Jelly Bean is by far the most widely deployed version of the mobile OS and it has become obvious in the last couple of years that few carriers bother to push security updates to their users, preferring to have them buy new handsets with newer software instead. This means that there are millions of Android devices potentially vulnerable to this attack. The researchers at Curesec on Tuesday published an app that demonstrates the attack and also released the source code for the app, giving other researchers the ability to reproduce the exploit.

Marco Lux, a researcher at Curesec, said that he doesn’t know of any workarounds for the vulnerability, and there’s no patch available for Jelly Bean at this point.

“I am not aware of any workaround. By my current knowledge it can be only done by a malicious app,” Lux said via email.

Unlike Apple, which pushes updates directly to users via the software update mechanism in iOS, Android updates are the responsibility of the various carriers who sell Android devices. The ACLU has asked the Federal Trade Commission to investigate the carriers’ failure to send security updates to users and security and privacy researchers have been critical of the carriers for this oversight, as well.

In order to exploit the vulnerability discovered by Curesec, an attacker would need to entice a target user to download a malicious app to her device, something that has proven to be rather easy to do in recent years. Malicious apps, as well as legitimate ones laden with hidden malware, have shown up regularly in Google Play and third-party app stores.

Image from Flickr photos of Milind Alvares.

Categories: Mobile Security, Vulnerabilities