You may not be the only one swiping fingerprints on your own Galaxy S5. Criminals may very well be doing it, too, and without your knowledge.
Researchers at FireEye discovered a life threatening flaw in certain Android phones — not simply the Galaxy S5, though other affected models weren’t named. While fingerprint results are locked away in Android’s trusted utility area, the biometric scanner itself is exposed. With the proper access, a criminal is able to do a man-in-the-middle attack and siphon off scans while they’re while in cargo.
Resident malware does the dirty work silently without anyone's knowledge. Once criminals have acquired those tasty bits, “you can generate the image of the fingerprint,” Yulong Zhang explained. He added “after which can be done whatever you want.”
Scary, right? It would be, or else for a few important caveats. First, this type of flaw was fixed in Android 5.0. Most new machines are shipping with Lollipop pre-installed, and it’s been rolling over to more older devices lately. If your carrier has now updated your handset, you’re good.
Second, FireEye’s researchers declare that an attacker has to be able to “break the kernel” so as to gain the specified access to a phone’s fingerprint scanner. Unless you’ve rooted your device, you most likely aren’t in harm’s way when it comes to that exploit.
That malware would also need to find its way on your phone somehow, of course, if you’re only installing apps on the Play Store the odds of that happening are pretty slim. Samsung is, nevertheless, investigating FireEye’s claims.
As worrisome because exploit is, it’s much scarier to consider that someone with use of the right lab equipment can reproduce your fingerprint without a penny more than a photo they on the Internet.