ZDNet reported on how hackers can remotely steal fingerprints from Android phones.
The attack, which was confirmed on the HTC One Max and Samsung’s Galaxy S5, allows a hacker to stealthily acquire a fingerprint image from an affected device because device makers don’t fully lock down the sensor.
Making matters worse, the sensor on some devices is only guarded by the “system” privilege instead of root, making it easier to target. (In other words: rooting or jailbreaking your phone can leave you at a greater risk.) Once the attack is in place, the fingerprint sensor can continue to quietly collect fingerprint data on anyone who uses the sensor.
“In this attack, victims’ fingerprint data directly fall into attacker’s hand. For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things,” Zhang said. And that’s a big problem. Fingerprints might be commonplace in mobile payments and unlocking devices, but they have been used more in the past five years also for identity, immigration, and for criminal records.
Fault lies firmly with the device makers. Food for thought for people who like to root their Android devices.