Recently, researcher Xianbo Wang from Hong Kong has presented his findings at Black Hat Europe, exploring fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.
What is fingerprint-jacking?
Researchers have discovered five new attack techniques, all of which can be launched from zero-permission malicious Android apps, and one can even work against all apps that integrate fingerprint API.
- Fingerprint-jacking can enable an attacker to use a malicious app with a hidden background, and lure a victim into entering their fingerprint inputs when another app is in the foreground. These fingerprints are sent to the background app and used to authorize some dangerous actions without the user noticing it.
- Apps with Android 7 or Android 8 versions can typically listen to fingerprint input although Google has added mitigations to the FingerprintManager API to block background fingerprint inputs starting in Android 9.
- Furthermore, the researchers have managed to bypass/break these Android mitigations in the race-attack which exploits a bug (CVE-2020-27059) in an Android life cycle behavior.
- Out of 1,630 Android apps that use the fingerprint API, 347 (21.3%) apps are having different implementation issues that can enable attackers to gain root access in the most widely used root manager apps and to steal money from a payment app.
Additional fingerprint-related incident
In November, California-based TronicsXchange had exposed over 2.6 million files, including around 80,000 biometric images of personal ID cards, and 10,000 fingerprint scans in a misconfigured AWS S3 bucket.
A funny incident
In October, some novice hackers had purposely uploaded their own fingerprints at a luxury goods business while exploiting vulnerabilities in one of the scanners, installed to restrict access to warehouses.
The bottom line
To prevent fingerprint hacking attacks, experts advise developers to use Android X's androidx[.]biometric API, which is a wrapper for FingerprintManager and BiometricPrompt API with secure implementation. In addition, developers should ensure their app explicitly cancels the fingerprint authentication process when an application is paused to prevent fingerprint-jacking attacks.