Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/10/2020
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Fingerprint-Jacking' Attack Technique Manipulates Android UI

Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.

Many modern smartphones have a fingerprint scanner to authorize device access and enable account login, payment authorization, and other operations. The scanner is meant for secure authentication, but researchers are finding new ways to manipulate it for malicious gain.

Related Content:

Security Incidents Are 'Tip of the Iceberg,' Says UK Security Official

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 51% of Edge Readers Plan to Pursue New Cybersecurity Certification in 2021

Xianbo Wang, a Ph.D. student at the Chinese University of Hong Kong, today presented research he conducted along with associate professor Wing Cheong Lau, master's student Yikang Chen, Ph.D. candidate Shangcheng Shi, and Sangfor Technologies security expert Ronghai Yang.

In his Black Hat Europe talk, Wang explained how he was hunting for bugs in a mobile wallet app when he found a tactic to enable "fingerprint-jacking," which is a user interface-based attack that targets fingerprints in Android apps. The term stems from clickjacking, he said, as this type of attack conceals a malicious application interface beneath a fake covering.

Wang kicked off his talk with a demo. On a device running Android 10, he opened the Magisk app, which can control the applications on a device that have root access. He then launched a simple diary application; while viewing, the interface of a lock screen appeared. A fingerprint was used to unlock the device and the user was directed back to the diary app. However, when the Magisk app was reopened, he showed the diary app now had root access on the device.

"Our observation, our motivation is that nowadays people use their fingerprints everywhere, especially on mobile devices, for different purposes," Wang said. For example, fingerprints are used to open applications, authorize money transfers, and enable myriad other sensitive mobile processes.

"The target of this attack is to trick the user into authorizing some dangerous actions without noticing it," he added. Researchers discovered five new attack techniques, all of which can be launched from zero-permission malicious Android apps. Some can bypass countermeasures introduced in Android 9, and one is effective against all apps that integrate with the fingerprint API.

In Android's Activity Life Cycle, only one activity can be in a "running" state at any given time. When an activity is not in the foreground, it must have been paused but may not have been stopped if it's still visible. Normally, when an app does fingerprint authorization, it starts a new activity that contains the fingerprint authentication functionality. The fingerprint activity goes through the normal activity stages of create, start, and resume, then pause when it's in the background.

The important question for attackers is whether fingerprint activity can continue listening to fingerprint inputs when another app is in the foreground. Wang explained that yes, Android has mitigation to block this kind of activity. However, the research team found a few ways to bypass this.

Here's how an attack works: Researchers assume the victim device has a malicious app installed; this can disguise itself as a benign app. After attack setup, this malicious app can launch fingerprint authentication in the target app and use visual content to lure a victim into entering their fingerprint. These are sent to the background app and used to authorize other screens.

What kind of attack setup can enable this? "To introduce that, we need to consider different apps' implementation patterns and different Android OS versions," Wang said. Ideally, an attacker would want the malicious app to require no permissions, neither at installation nor when the app is running. They'd also want the attack to work on the latest Android phones. 

Apps' ability to listen to fingerprint input in the background depends on the version of Android. If a target phone is running Android 7 or Android 8, apps can typically listen to fingerprint input, Wang said. Starting in Android 9, Google added mitigations to the FingerprintManager API to block background fingerprint inputs.

"Before Android 9, there's no system-level protection, so the apps need to block the background fingerprint input by themselves," he explained.

However, in the most powerful attack technique they discovered, researchers were able to break Android mitigations. The "race-attack" exploits a life cycle behavior when two activities are started within a short period of time, enabling a fingerprint-jacking attack. The team reported this issue to Google in June. It has been assigned CVE-2020-27059, and a patch will be released in the January 2021 Android Security Bulletin. 

In an evaluation of 1,630 Android apps that use the fingerprint API, the team found 347 (21.3%) with different implementation issues. They have performed proof-of-concept attacks on some popular apps in which they were able to steal money from a payment app with more than 1 million users and gain root access in the most widely used root manager application.

Wang advised developers to use Android X's androidx[.]biometric API, which is a wrapper for FingerprintManager and BiometricPrompt API with secure implementation. He urged them to use third-party libraries carefully, as some of the unofficial libraries the researchers tested were vulnerable to fingerprint-jacking attacks. And finally, he suggested they check their existing implementations. If they use FingerprintManager API, developers should ensure their app explicitly cancels the fingerprint authentication process when an application is paused.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3318
PUBLISHED: 2021-01-27
attach/ajax.php in DzzOffice through 2.02.1 allows XSS via the editorid parameter.
CVE-2020-5427
PUBLISHED: 2021-01-27
In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5.x prior 2.5.4, an application is vulnerable to SQL injection when requesting task execution.
CVE-2020-5428
PUBLISHED: 2021-01-27
In applications using Spring Cloud Task 2.2.4.RELEASE and below, may be vulnerable to SQL injection when exercising certain lookup queries in the TaskExplorer.
CVE-2021-20357
PUBLISHED: 2021-01-27
IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 194963.
CVE-2020-4865
PUBLISHED: 2021-01-27
IBM Jazz Foundation products is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 190741.