Recently Google introduced a remote Device locking feature to its Android Device Manager to unlock a stolen or lost device. This feature was exploited
Researchers from Curesec Research Team from Germany discovered a vulnerability on Android 4.3 that allow a malicious app to remove device locks.leading to CVE 2013-6271.
As per the blog, “ The bug exists on the “com.android.settings.ChooseLockGeneric class”. This class is used to allow the user to modify the type of lock mechanism the device should have. “
It further states that “ Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin).”
As per CureSec,it had reported this bug multiple times to Google Security team but the has not responded to this issue. Entire blog is available here