An Android vulnerability exists that allows a rogue app to remove all existing securities activated by a user of the popular mobile operating system, researchers with Berlin-based IT security advisory company CureSec recently discovered.

“The bug exists on the “com.android.settings.ChooseLockGeneric class,” according to a blog post, which explains how users can effectively remove existing security protocols and set up new options. “This class is used to allow the user to modify the type of lock mechanism the device should have.”

CureSec created an app to test the vulnerability, which was successful on Android 4.0 through Android 4.3, but not in Android 4.4, the latest release. CureSec said it disclosed the issue because the Google Android Security team would not respond to correspondence.