Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

04:55 PM
Connect Directly

'Fingerprint-Jacking' Attack Technique Manipulates Android UI

Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.

Many modern smartphones have a fingerprint scanner to authorize device access and enable account login, payment authorization, and other operations. The scanner is meant for secure authentication, but researchers are finding new ways to manipulate it for malicious gain.

Related Content:

Security Incidents Are 'Tip of the Iceberg,' Says UK Security Official

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 51% of Edge Readers Plan to Pursue New Cybersecurity Certification in 2021

Xianbo Wang, a Ph.D. student at the Chinese University of Hong Kong, today presented research he conducted along with associate professor Wing Cheong Lau, master's student Yikang Chen, Ph.D. candidate Shangcheng Shi, and Sangfor Technologies security expert Ronghai Yang.

In his Black Hat Europe talk, Wang explained how he was hunting for bugs in a mobile wallet app when he found a tactic to enable "fingerprint-jacking," which is a user interface-based attack that targets fingerprints in Android apps. The term stems from clickjacking, he said, as this type of attack conceals a malicious application interface beneath a fake covering.

Wang kicked off his talk with a demo. On a device running Android 10, he opened the Magisk app, which can control the applications on a device that have root access. He then launched a simple diary application; while viewing, the interface of a lock screen appeared. A fingerprint was used to unlock the device and the user was directed back to the diary app. However, when the Magisk app was reopened, he showed the diary app now had root access on the device.

"Our observation, our motivation is that nowadays people use their fingerprints everywhere, especially on mobile devices, for different purposes," Wang said. For example, fingerprints are used to open applications, authorize money transfers, and enable myriad other sensitive mobile processes.

"The target of this attack is to trick the user into authorizing some dangerous actions without noticing it," he added. Researchers discovered five new attack techniques, all of which can be launched from zero-permission malicious Android apps. Some can bypass countermeasures introduced in Android 9, and one is effective against all apps that integrate with the fingerprint API.

In Android's Activity Life Cycle, only one activity can be in a "running" state at any given time. When an activity is not in the foreground, it must have been paused but may not have been stopped if it's still visible. Normally, when an app does fingerprint authorization, it starts a new activity that contains the fingerprint authentication functionality. The fingerprint activity goes through the normal activity stages of create, start, and resume, then pause when it's in the background.

The important question for attackers is whether fingerprint activity can continue listening to fingerprint inputs when another app is in the foreground. Wang explained that yes, Android has mitigation to block this kind of activity. However, the research team found a few ways to bypass this.

Here's how an attack works: Researchers assume the victim device has a malicious app installed; this can disguise itself as a benign app. After attack setup, this malicious app can launch fingerprint authentication in the target app and use visual content to lure a victim into entering their fingerprint. These are sent to the background app and used to authorize other screens.

What kind of attack setup can enable this? "To introduce that, we need to consider different apps' implementation patterns and different Android OS versions," Wang said. Ideally, an attacker would want the malicious app to require no permissions, neither at installation nor when the app is running. They'd also want the attack to work on the latest Android phones. 

Apps' ability to listen to fingerprint input in the background depends on the version of Android. If a target phone is running Android 7 or Android 8, apps can typically listen to fingerprint input, Wang said. Starting in Android 9, Google added mitigations to the FingerprintManager API to block background fingerprint inputs.

"Before Android 9, there's no system-level protection, so the apps need to block the background fingerprint input by themselves," he explained.

However, in the most powerful attack technique they discovered, researchers were able to break Android mitigations. The "race-attack" exploits a life cycle behavior when two activities are started within a short period of time, enabling a fingerprint-jacking attack. The team reported this issue to Google in June. It has been assigned CVE-2020-27059, and a patch will be released in the January 2021 Android Security Bulletin. 

In an evaluation of 1,630 Android apps that use the fingerprint API, the team found 347 (21.3%) with different implementation issues. They have performed proof-of-concept attacks on some popular apps in which they were able to steal money from a payment app with more than 1 million users and gain root access in the most widely used root manager application.

Wang advised developers to use Android X's androidx[.]biometric API, which is a wrapper for FingerprintManager and BiometricPrompt API with secure implementation. He urged them to use third-party libraries carefully, as some of the unofficial libraries the researchers tested were vulnerable to fingerprint-jacking attacks. And finally, he suggested they check their existing implementations. If they use FingerprintManager API, developers should ensure their app explicitly cancels the fingerprint authentication process when an application is paused.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.