Written by: C. Anthony Esposito II
In the wake of the text flashing vulnerability found on Nexus devices, a real and much worse vulnerability has emerged. This vulnerability through a rogue app that can disable and remove all device locks in use by the current user.
Through the use of code found in “com.android.settings.ChooseLockGeneric class” which sets locks like password, facelock, pin, etc… the code flow can be controlled allowing the flow to continue to “updateUnlockMethodAndFinish()”. Through controlling the flow the rogue app could specify “PASSWORD_QUALITY_UNSPECIFIED” which essentially unlocks the device completely.
By doing so a rogue app planted on a device could be used to unlock and access the device at any given time. For the original proof of concept, article and examples please see IT-Security Blog at the link below.
Source: IT-Security Blog