Many modern smartphones have a fingerprint scanner to authorize device access and enable account login, payment authorization, and other operations. The scanner is meant for secure authentication, but researchers are finding new ways to manipulate it for malicious gain.
Xianbo Wang, a Ph.D. student at the Chinese University of Hong Kong, today presented research he conducted along with associate professor Wing Cheong Lau, master's student Yikang Chen, Ph.D. candidate Shangcheng Shi, and Sangfor Technologies security expert Ronghai Yang.
In his Black Hat Europe talk, Wang explained how he was hunting for bugs in a mobile wallet app when he found a tactic to enable "fingerprint-jacking," which is a user interface-based attack that targets fingerprints in Android apps. The term stems from clickjacking, he said, as this type of attack conceals a malicious application interface beneath a fake covering.
Wang kicked off his talk with a demo. On a device running Android 10, he opened the Magisk app, which can control the applications on a device that have root access. He then launched a simple diary application; while viewing, the interface of a lock screen appeared. A fingerprint was used to unlock the device and the user was directed back to the diary app. However, when the Magisk app was reopened, he showed the diary app now had root access on the device.
"Our observation, our motivation is that nowadays people use their fingerprints everywhere, especially on mobile devices, for different purposes," Wang said. For example, fingerprints are used to open applications, authorize money transfers, and enable myriad other sensitive mobile processes.
"The target of this attack is to trick the user into authorizing some dangerous actions without noticing it," he added. Researchers discovered five new attack techniques, all of which can be launched from zero-permission malicious Android apps. Some can bypass countermeasures introduced in Android 9, and one is effective against all apps that integrate with the fingerprint API.
In Android's Activity Life Cycle, only one activity can be in a "running" state at any given time. When an activity is not in the foreground, it must have been paused but may not have been stopped if it's still visible. Normally, when an app does fingerprint authorization, it starts a new activity that contains the fingerprint authentication functionality. The fingerprint activity goes through the normal activity stages of create, start, and resume, then pause when it's in the background.
The important question for attackers is whether fingerprint activity can continue listening to fingerprint inputs when another app is in the foreground. Wang explained that yes, Android has mitigation to block this kind of activity. However, the research team found a few ways to bypass this.
Here's how an attack works: Researchers assume the victim device has a malicious app installed; this can disguise itself as a benign app. After attack setup, this malicious app can launch fingerprint authentication in the target app and use visual content to lure a victim into entering their fingerprint. These are sent to the background app and used to authorize other screens.
What kind of attack setup can enable this? "To introduce that, we need to consider different apps' implementation patterns and different Android OS versions," Wang said. Ideally, an attacker would want the malicious app to require no permissions, neither at installation nor when the app is running. They'd also want the attack to work on the latest Android phones.
Apps' ability to listen to fingerprint input in the background depends on the version of Android. If a target phone is running Android 7 or Android 8, apps can typically listen to fingerprint input, Wang said. Starting in Android 9, Google added mitigations to the FingerprintManager API to block background fingerprint inputs.
"Before Android 9, there's no system-level protection, so the apps need to block the background fingerprint input by themselves," he explained.
However, in the most powerful attack technique they discovered, researchers were able to break Android mitigations. The "race-attack" exploits a life cycle behavior when two activities are started within a short period of time, enabling a fingerprint-jacking attack. The team reported this issue to Google in June. It has been assigned CVE-2020-27059, and a patch will be released in the January 2021 Android Security Bulletin.
In an evaluation of 1,630 Android apps that use the fingerprint API, the team found 347 (21.3%) with different implementation issues. They have performed proof-of-concept attacks on some popular apps in which they were able to steal money from a payment app with more than 1 million users and gain root access in the most widely used root manager application.
Wang advised developers to use Android X's androidx[.]biometric API, which is a wrapper for FingerprintManager and BiometricPrompt API with secure implementation. He urged them to use third-party libraries carefully, as some of the unofficial libraries the researchers tested were vulnerable to fingerprint-jacking attacks. And finally, he suggested they check their existing implementations. If they use FingerprintManager API, developers should ensure their app explicitly cancels the fingerprint authentication process when an application is paused.