‘Fingerprint-jacking’ attack technique manipulates Android UI

Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.

Many modern smartphones have a fingerprint scanner to authorize device access and enable account login, payment authorization, and other operations. The scanner is meant for secure authentication, but researchers are finding new ways to manipulate it for malicious gain.

Xianbo Wang, a Ph.D. student at the Chinese University of Hong Kong, today presented research he conducted along with associate professor Wing Cheong Lau, master’s student Yikang Chen, Ph.D. candidate Shangcheng Shi, and Sangfor Technologies security expert Ronghai Yang.

In his Black Hat Europe talk, Wang explained how he was hunting for bugs in a mobile wallet app when he found a tactic to enable “fingerprint-jacking,” which is a user interface-based attack that targets fingerprints in Android apps. The term stems from clickjacking, he said, as this type of attack conceals a malicious application interface beneath a fake covering.

Wang kicked off his talk with a demo. On a device running Android 10, he opened the Magisk app, which can control the applications on a device that have root access. He then launched a simple diary application; while viewing, the interface of a lock screen appeared. A fingerprint was used to unlock the device and the user was directed back to the diary app. However, when the Magisk app was reopened, he showed the diary app now had root access on the device.

“Our observation, our motivation is that nowadays people use their fingerprints everywhere, especially on mobile devices, for different purposes,” Wang said. For example, fingerprints are used to open applications, authorize money transfers, and enable myriad other sensitive mobile processes.

“The target of this attack is to trick the user into authorizing some dangerous actions without noticing it,” he added. Researchers discovered five new attack techniques, all of which can be launched from zero-permission malicious Android apps. Some can bypass countermeasures introduced in Android 9, and one is effective against all apps that integrate with the fingerprint API.

To read the complete article, visit Dark Reading.