Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:55 PM
Connect Directly

'Fingerprint-Jacking' Attack Technique Manipulates Android UI

Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.

Many modern smartphones have a fingerprint scanner to authorize device access and enable account login, payment authorization, and other operations. The scanner is meant for secure authentication, but researchers are finding new ways to manipulate it for malicious gain.

Related Content:

Security Incidents Are 'Tip of the Iceberg,' Says UK Security Official

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 51% of Edge Readers Plan to Pursue New Cybersecurity Certification in 2021

Xianbo Wang, a Ph.D. student at the Chinese University of Hong Kong, today presented research he conducted along with associate professor Wing Cheong Lau, master's student Yikang Chen, Ph.D. candidate Shangcheng Shi, and Sangfor Technologies security expert Ronghai Yang.

In his Black Hat Europe talk, Wang explained how he was hunting for bugs in a mobile wallet app when he found a tactic to enable "fingerprint-jacking," which is a user interface-based attack that targets fingerprints in Android apps. The term stems from clickjacking, he said, as this type of attack conceals a malicious application interface beneath a fake covering.

Wang kicked off his talk with a demo. On a device running Android 10, he opened the Magisk app, which can control the applications on a device that have root access. He then launched a simple diary application; while viewing, the interface of a lock screen appeared. A fingerprint was used to unlock the device and the user was directed back to the diary app. However, when the Magisk app was reopened, he showed the diary app now had root access on the device.

"Our observation, our motivation is that nowadays people use their fingerprints everywhere, especially on mobile devices, for different purposes," Wang said. For example, fingerprints are used to open applications, authorize money transfers, and enable myriad other sensitive mobile processes.

"The target of this attack is to trick the user into authorizing some dangerous actions without noticing it," he added. Researchers discovered five new attack techniques, all of which can be launched from zero-permission malicious Android apps. Some can bypass countermeasures introduced in Android 9, and one is effective against all apps that integrate with the fingerprint API.

In Android's Activity Life Cycle, only one activity can be in a "running" state at any given time. When an activity is not in the foreground, it must have been paused but may not have been stopped if it's still visible. Normally, when an app does fingerprint authorization, it starts a new activity that contains the fingerprint authentication functionality. The fingerprint activity goes through the normal activity stages of create, start, and resume, then pause when it's in the background.

The important question for attackers is whether fingerprint activity can continue listening to fingerprint inputs when another app is in the foreground. Wang explained that yes, Android has mitigation to block this kind of activity. However, the research team found a few ways to bypass this.

Here's how an attack works: Researchers assume the victim device has a malicious app installed; this can disguise itself as a benign app. After attack setup, this malicious app can launch fingerprint authentication in the target app and use visual content to lure a victim into entering their fingerprint. These are sent to the background app and used to authorize other screens.

What kind of attack setup can enable this? "To introduce that, we need to consider different apps' implementation patterns and different Android OS versions," Wang said. Ideally, an attacker would want the malicious app to require no permissions, neither at installation nor when the app is running. They'd also want the attack to work on the latest Android phones. 

Apps' ability to listen to fingerprint input in the background depends on the version of Android. If a target phone is running Android 7 or Android 8, apps can typically listen to fingerprint input, Wang said. Starting in Android 9, Google added mitigations to the FingerprintManager API to block background fingerprint inputs.

"Before Android 9, there's no system-level protection, so the apps need to block the background fingerprint input by themselves," he explained.

However, in the most powerful attack technique they discovered, researchers were able to break Android mitigations. The "race-attack" exploits a life cycle behavior when two activities are started within a short period of time, enabling a fingerprint-jacking attack. The team reported this issue to Google in June. It has been assigned CVE-2020-27059, and a patch will be released in the January 2021 Android Security Bulletin. 

In an evaluation of 1,630 Android apps that use the fingerprint API, the team found 347 (21.3%) with different implementation issues. They have performed proof-of-concept attacks on some popular apps in which they were able to steal money from a payment app with more than 1 million users and gain root access in the most widely used root manager application.

Wang advised developers to use Android X's androidx[.]biometric API, which is a wrapper for FingerprintManager and BiometricPrompt API with secure implementation. He urged them to use third-party libraries carefully, as some of the unofficial libraries the researchers tested were vulnerable to fingerprint-jacking attacks. And finally, he suggested they check their existing implementations. If they use FingerprintManager API, developers should ensure their app explicitly cancels the fingerprint authentication process when an application is paused.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.