HTC and Samsung have patched serious vulnerabilities in some of their Android phones that made it possible for malicious hackers to steal user fingerprints. The researchers who discovered the flaws said that many more phones from all manufacturers may be susceptible to other types of fingerprint-theft attacks.
The most serious of the flaws was found on HTC's One Max handset. According to researchers at security firm FireEye, the device saved user fingerprints as an unencrypted file. Almost as bad, the BMP image was readable by any other running application or process. As a result, any unprivileged process or app could obtain a user's fingerprints by reading the file. Attackers could capitalize on the weakness by exploiting one of the many serious vulnerabilities that regularly crop up in Android or by tricking a target into installing a malicious app. HTC fixed the issue after FireEye privately reported it, according to this summary, which didn't provide a date or other details of the update.
A separate flaw found in both the HTC One Max and Samsung Galaxy S5 phones also put user fingerprints at risk by exposing the sensor to attackers. Consensus among security professionals is that the sensor should invoke the TrustZone protections provided by ARM chips the phones run. TrustZone allows sensitive operations to be isolated from the rest of the operating system in much the way that classified information belonging to governments isn't stored or transmitted over unclassified systems. FireEye researchers said most manufacturers fail to use the feature to protect the sensor operations.