Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/10/2020
04:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Fingerprint-Jacking' Attack Technique Manipulates Android UI

Researchers explore fingerprint-jacking, a user interface-based attack that targets fingerprints scanned into Android apps.

Many modern smartphones have a fingerprint scanner to authorize device access and enable account login, payment authorization, and other operations. The scanner is meant for secure authentication, but researchers are finding new ways to manipulate it for malicious gain.

Related Content:

Security Incidents Are 'Tip of the Iceberg,' Says UK Security Official

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 51% of Edge Readers Plan to Pursue New Cybersecurity Certification in 2021

Xianbo Wang, a Ph.D. student at the Chinese University of Hong Kong, today presented research he conducted along with associate professor Wing Cheong Lau, master's student Yikang Chen, Ph.D. candidate Shangcheng Shi, and Sangfor Technologies security expert Ronghai Yang.

In his Black Hat Europe talk, Wang explained how he was hunting for bugs in a mobile wallet app when he found a tactic to enable "fingerprint-jacking," which is a user interface-based attack that targets fingerprints in Android apps. The term stems from clickjacking, he said, as this type of attack conceals a malicious application interface beneath a fake covering.

Wang kicked off his talk with a demo. On a device running Android 10, he opened the Magisk app, which can control the applications on a device that have root access. He then launched a simple diary application; while viewing, the interface of a lock screen appeared. A fingerprint was used to unlock the device and the user was directed back to the diary app. However, when the Magisk app was reopened, he showed the diary app now had root access on the device.

"Our observation, our motivation is that nowadays people use their fingerprints everywhere, especially on mobile devices, for different purposes," Wang said. For example, fingerprints are used to open applications, authorize money transfers, and enable myriad other sensitive mobile processes.

"The target of this attack is to trick the user into authorizing some dangerous actions without noticing it," he added. Researchers discovered five new attack techniques, all of which can be launched from zero-permission malicious Android apps. Some can bypass countermeasures introduced in Android 9, and one is effective against all apps that integrate with the fingerprint API.

In Android's Activity Life Cycle, only one activity can be in a "running" state at any given time. When an activity is not in the foreground, it must have been paused but may not have been stopped if it's still visible. Normally, when an app does fingerprint authorization, it starts a new activity that contains the fingerprint authentication functionality. The fingerprint activity goes through the normal activity stages of create, start, and resume, then pause when it's in the background.

The important question for attackers is whether fingerprint activity can continue listening to fingerprint inputs when another app is in the foreground. Wang explained that yes, Android has mitigation to block this kind of activity. However, the research team found a few ways to bypass this.

Here's how an attack works: Researchers assume the victim device has a malicious app installed; this can disguise itself as a benign app. After attack setup, this malicious app can launch fingerprint authentication in the target app and use visual content to lure a victim into entering their fingerprint. These are sent to the background app and used to authorize other screens.

What kind of attack setup can enable this? "To introduce that, we need to consider different apps' implementation patterns and different Android OS versions," Wang said. Ideally, an attacker would want the malicious app to require no permissions, neither at installation nor when the app is running. They'd also want the attack to work on the latest Android phones. 

Apps' ability to listen to fingerprint input in the background depends on the version of Android. If a target phone is running Android 7 or Android 8, apps can typically listen to fingerprint input, Wang said. Starting in Android 9, Google added mitigations to the FingerprintManager API to block background fingerprint inputs.

"Before Android 9, there's no system-level protection, so the apps need to block the background fingerprint input by themselves," he explained.

However, in the most powerful attack technique they discovered, researchers were able to break Android mitigations. The "race-attack" exploits a life cycle behavior when two activities are started within a short period of time, enabling a fingerprint-jacking attack. The team reported this issue to Google in June. It has been assigned CVE-2020-27059, and a patch will be released in the January 2021 Android Security Bulletin. 

In an evaluation of 1,630 Android apps that use the fingerprint API, the team found 347 (21.3%) with different implementation issues. They have performed proof-of-concept attacks on some popular apps in which they were able to steal money from a payment app with more than 1 million users and gain root access in the most widely used root manager application.

Wang advised developers to use Android X's androidx[.]biometric API, which is a wrapper for FingerprintManager and BiometricPrompt API with secure implementation. He urged them to use third-party libraries carefully, as some of the unofficial libraries the researchers tested were vulnerable to fingerprint-jacking attacks. And finally, he suggested they check their existing implementations. If they use FingerprintManager API, developers should ensure their app explicitly cancels the fingerprint authentication process when an application is paused.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...