‘Fingerprint-Jacking’ Attack Technique Manipulates Android UI
Researchers have been conducting studies into the technique of fingerprint-jacking, in which threat actors overcome fingerprint scanning technologies for malicious intent. fingerprint-jacking is a user-interface based attack that steals users’ biometric data when stored in Andriod apps. Many different smartphone models consist of fingerprint scanners that authorize access to enable account login, payment authorization, and perform other functions. Although the technology was created to bring more security to smartphones, it is now being exploited by threat actors.
Researcher and student Xianbo Wang of Hong Kong presented research at Black Hat Europe alongside other students and experts, providing a demonstration on how the tool is overcome. Wang simply opened the Magisk app on a device running Andriod 10, performing simple functions and ending with root access on the device. Wang explained that the target of the attack is to trick the user into authorizing harmful actions without detecting an issue. Five new attack techniques have been discovered, with some having the ability to work against all apps that integrate fingerprint API.