AppLockZ App Lock and Fingerprint Lock (version 4.2.11) contains a flaw that allows a local attacker with physical access to bypass the PIN lock. The application implements the lock as an overlay rather than relying on Android's secure authentication APIs, enabling an attacker to navigate exposed routes and evict lockscreen verification through advertisement or browser intents. This flaw, identified as an improper authentication weakness (CWE-287), permits an attacker to access protected applications such as Chrome, effectively elevating privileges and disclosing sensitive information.

Systems affected include devices running AppLockZ App Lock and Fingerprint Lock 4.2.11 on Android. No vendor or product version list was supplied beyond the specific application version, so any Android device using this version is considered vulnerable.

The vulnerability is local, requiring physical access, but the exploitation path still poses a significant risk. With EPSS not available, the risk assessment relies on the attacker's ability to traverse the overlay. The absence of a KEV listing suggests that no widespread exploitation reports exist yet, yet the flaw's nature allows immediate privilege escalation once bypassed. Attackers can exploit the flaw by exploiting insecure navigation flows or intent‑based advertisement redirection, which the application treats as legitimate control paths.