Dear Avast! development team,
I wish to report on some severe security issues with the Anti-Theft software.
My system detals are as follows:
- I run Anti-Theft version 2.0.2571
- I have an HTC Sensation XE with Android 4.0.3 running on it, the device is not rooted.
- My Anti-theft settings are as follows:
---Deny Program Manager Access: Yes
---Lock Phone Settings: Yes
---Prevent USB Debugging: Yes
---Force Data Connection ON: Yes
---Thorough Wipe: No
---Lock Phone: Yes
---Low Battery Notification: No
---Only Allow Friend Commands: No
Of course Anti-Theft is switched on and the phone is rebooted.
Issue 1:
While being seemingly two separate programs, disabling Avast! Mobile Security using the task manager seems to disable Avast! Anti - Theft as well;
I noted that once I disabled Avast! Mobile Security, I suddenly could not give my phone remote commands anymore using my account at
www.avast.com.
Issue 2:
When trying the Anti-Theft software I found that it is quite simple to unlock a locked device and uninstall Anti-Theft, without the need of any password or identification by Avast!
The following experiment shows how an unauthorized user is able to remove the Anti-Theft software from my phone, after I have given it remotely the command LOST with the above settings.
1) When the device is locked scroll down the taskbar and try to open settings, wifi-settings, or taskmanager. (the taskbar is still fully operational!)
Most of the the time you won't succeed and you will be brought back to the lockscreen as expected.
2) However, if one keeps on trying, then, eventually (within a minute), one will actually enter one of the settings and be past the lockscreen forever (until remotely switched on again).
Remark: At your remote screen online (
www.avast.com) it is not noted that the phone has been unlocked.
3) By repeteadly trying to open the settingspanel and open the security tab one will eventually succeed (also within one or two minutes) to disable Anti-Theft as a Systemmanager.
(here again, most of the time you are kicked out of the settingsl)
However, once kicked out of the settings, the current state is saved and once having (maybe for a short period) access one can proceed and does not have to start over.
4) Once having access to the security tab one could remove Anti-Theft as a systemmanager and unistall the Anti-Theft software. (The latter is also done by repteadly trying to enter the settings)
NOTE: If the phone is also protected with a pattern (or password), then this will prevent an unauthorized user to use the phone. However, what is the added value (beside the text with contact details) of Avast! locking if its corresponding unlocking is so easy?
I think the unlocking problem can be solved by disabling the tasbar on top of the screen.
I'm curious why disabling Mobile Security also disables (or at least causes failing remote interaction with) Anti-Theft.
Hopefully, the next updates will not suffer these issues.
Cheers,
Sebastiaan
