Fingerprint hijacking: A new way to hack apps using the biometric scanner on smartphones

Most of the latest smartphone models feature a fingerprint scanner to unlock the device, access apps, and more utilities. Although it seems to be the ideal form of user authentication, hackers have devised multiple methods to abuse this feature.

A group of specialists has revealed a user interface-based attack technique that aims to scan fingerprints in Android apps. According to the report, the technique known as “fingerprint-jacking” is to hide a malicious application under a fake cover in order to intercept the biometric data of the target user.

In their demonstration of the attack, experts opened the Magisk mobile app on an Android 10 device, allowing them to manage programs with superuser rights.

Researchers then launched a simple diary app that showed the lock screen interface when launched. At this point the device user used their fingerprint to unlock the device, redirecting the user to the journal app.

By launching again the Magisk app, it was shown that the diary app was now running with superuser rights on the target device: “The goal of this attack is to trick the victim into inadvertently authorizing arbitrary actions,” the report says.

In their report the experts detailed five different attack methods, all involving malicious Android apps. Using some of these methods it is possible to dodge security measures on Android 9; one of these attacks is even effective against any application integrated with the biometric recognition API.

Versions prior to Android 9 did not have system-level security, so apps on these devices require blocking fingerprint entry in the background by themselves. One of these attacks, identified as Race, relies on exploiting the CVE-2020-27059 vulnerability to intercept the target user’s fingerprints in a similar way.