Using an HTC device? Company researchers security FireEye discovered a way to steal fingerprints from Android devices that have biometric sensors, such as the Samsung Galaxy S5 and HTC One Max.
But the team was in for a big surprise when they discovered that the fingerprints stored on the HTC One Max exist as files image (dbgraw.bmp) in an open folder for the whole world, and without any encryption.
"Any unauthorized processes or applications can steal a user's fingerprints by reading this file," the team says, adding that images can be easily printed.
Yulong Zhang, Zhaofeng Chen, Hui Xue and Tao Wei presented their Fingerprints On Mobile Devices: Abusing and Leaking [PDF] at the Black Hat conference held in Las Vegas last week.
Most device manufacturers, as reported by researchers, are unable to use Android Trust Zone protection to protect biometric data.
“To make matters worse, every time the fingerprint sensor usesfor auth operation, the auth framework refreshes the fingerprint bitmap,” the team reports.
"This way, the intruder can sit in the background and collect all the images of the victim's fingerprints."
The team also added that attackers with some remote code execution could massively collect these fingerprints, since they do not even need root rights.