Fingerprint-Jacking: Practical Fingerprint Authorization Hijacking in Android Apps

Conference:  BlackHat EU 2020



The presentation discusses the practicality of fingerprint jacking attacks on Android devices and how they can be executed despite Android's mitigation measures.
  • Fingerprint jacking is a UI attack that tricks users into authorizing dangerous actions without their knowledge.
  • Android has mitigation measures to block this type of attack, but they can be bypassed.
  • The Android activity lifecycle is a state machine model for Android activities.
  • Normal apps go through the create, start, resume, pause, and stop states when doing fingerprint authorization.
  • Fingerprint jacking attacks involve launching a malicious app disguised as a benign app, launching the fingerprint activity in the target app, using a coloring activity to cover the fingerprint activity, and luring the victim to input their fingerprints.
  • Two examples of fingerprint jacking attacks are demonstrated: one involving a diary app and one involving a payment app.
The presentation describes how a malicious app can disguise itself as a benign app and launch the fingerprint activity in the target app while using a coloring activity to cover it up. The victim is then lured into inputting their fingerprints, which are sent to the background target app. This allows the attacker to complete dangerous actions without the victim's knowledge, such as transferring money from a payment app to the attacker's malicious app.


Many mobile devices carry a fingerprint scanner nowadays. Mobile apps utilize the fingerprint scanner to facilitate operations such as account login and payment authorization. Despite its security-critical nature, relatively little effort has been devoted to the security analysis of fingerprint scanner, especially from the system security aspect.In this talk, we introduce fingerprint-jacking, a type of User-Interface-based (UI) attack that targets fingerprint hijacking in Android apps. We coin the term from clickjacking, as our attack also conceals the original interface beneath a fake covering. Specifically, we discover five novel attacking techniques, all of which can be launched from zero-permission malicious apps and some can even bypass the latest countermeasures in Android 9+. Our race-attack is effective against all apps that integrate the fingerprint API.As apps' implementation flaws intensify the fingerprint-jacking vulnerability, we have designed a static analyzer to efficiently identify apps with implementation flaws that can lead to fingerprint-jacking. In our evaluation of 1630 Android apps that utilize the fingerprint API, we found 347 (21.3%) apps with different implementation issues. We have successfully performed proof-of-concept attacks on some popular apps, including stealing money via a payment app with over 100,000,000 users, gaining root access in the most widely used root manager app, and more. Finally, we discuss potential mitigations for both the apps and the Android framework.



Post a comment

Related work

Conference:  Defcon 31
Authors: Omer Attias Security Researcher at SafeBreach

Conference:  Defcon 31
Authors: Ryan Johnson Senior Director, R&D at Quokka, Mohamed Elsabagh Senior Director, R&D at Quokka, Angelos Stavrou Founder and Chief Scientist at Quokka

Conference:  Black Hat Asia 2023
Authors: Guangdong Bai, Qing Zhang, Guangshuai Xia