Malicious Apps Were Found to Scan Fingerprints Illegally

IoT developers keep finding new ways for users to authenticate themselves while using their devices and virtual services. This comes out of necessity because cyber attackers keep finding new ways to exploit the different authentication methods that are employed. Passwords continue to be used most regularly, simply because other technologies have not been developed fully, are not compatible with devices, or cannot offer users what they need. That being said, more and more devices and tools now allow users to authenticate themselves using their voice, face, retinas, and even fingerprints.

Without a doubt, identification via fingerprint scanning is nothing new. In fact, there is evidence that shows fingerprint analysis being employed as early as 500 BC. Of course, fingerprint scanning became common in our day-to-day life due to the technology that was created in the 20th century. Nowadays, fingerprint scanning is used as a form of authentication on many IoT devices. Unfortunately, hackers have found a way to exploit fingerprint scanning to steal personal information using fake apps.

Fake apps steal personal information from iOS users

If you own an iOS device, you need to be extremely cautious about fictitious and misleading apps that might have been set up to steal your personal information when you use the fingerprint scanning feature called Touch ID. According to ESET, some of these apps pose as fitness-tracking tools, and iOS users are tricked into downloading them – in many cases, from the Apple App Store – in the hopes of doing something good for themselves. Unfortunately, the opposite happens.

Two specific apps reviewed by researchers – Fitness Balance and Calories Tracker – were extremely pricey (up to €139.99), and the user would learn about the price only after they agreed to have their fingerprints scanned. Unfortunately, if a credit/debit card was linked to the Apple account, this fingerprint scanning would automatically validate the purchase. These two apps have been removed from the App Store, but it is impossible to say how many of them could still exist, or how many of them could be created in the future.

It is possible that the malicious apps could have recorded the scanned fingerprints too, and that is considered to be a form of personal data theft. This isn't the first recorded incident of hackers using fake fingerprint scanning apps. In fact, industry professionals and users were warned about this back in 2015, when Yulong Zhang demonstrated how hackers could use fingerprint scanners to perform illicit transactions. The researcher also showed how hackers could add their own fingerprints to a hacked device to gain access. He also found a way to perform fingerprint scanning even when the user did not know they were using a scanner. Three years later, more devices than ever have fingerprint sensors, which is why it is so important to understand the risks related to fingerprint scanning devices.

How to avoid malicious fingerprint scanning apps

Surely, you do not want to think about your virtual security and your financial security every time you touch your phone or any other device that uses fingerprint scanning technologies. It is now known that fake apps steal personal information not only by recording regular data (e.g., browsing data, passwords, usernames, pin codes, etc.), but by recording your fingerprints as well. If the malicious app manages to record your fingerprint, they might be able to perform illegal transactions from the connected credit and debit cards! So, if you want to avoid malicious fingerprint scanners, the first thing you need to do is learn how to spot them.

  • Whenever you download a new app, you have to be diligent about your research. Read reviews on third-party sources, and do not rely completely on the reviews available on the direct app's source. Of course, if the reviews and rating are terrible, you know that the app cannot be trusted. Unfortunately, ratings and reviews can be faked. The two fake fitness-tracking apps that we discussed in this report had very good ratings and reviews, which is why many users fell for the scam.
  • Read the description of the app. Familiarize yourself with the developer and their privacy policies. Do not ignore grammatical mistakes.
  • Be very cautious about the interface of the app too. Without a doubt, if an app requests you to scan your fingerprint, you should remove it immediately. And if you have been tricked already, check your balance to look for any suspicious transactions, and call your bank to find out what you can do to get your money back.
  • Do not skip the information regarding the permissions and privileges the app requests. If, for example, an app that is supposed to track your fitness also wants to connect to your camera or record your phone address book, it is quite possible that it was created by someone who is interested in more than just your fitness statistics.

You can learn more about malicious apps and how to identify them here.

What's the alternative to fingerprint scanning?

If you are using a fingerprint scanner every day – for example, to log into your mobile device – you might be scared about the prospects. Yes, fingerprints are not invincible, and while it is a terrific alternative to other authentication methods, you might be looking for something else. Maybe it's worth looking into voice recognition? And maybe you go back to the good old passwords. If that is your choice, remember that password security is very important. Whether it's the passcode to your phone, the password to your online banking account, or the secret answer to a blocked profile, you need it to be strong and protected. Do you know how to feed two birds with one scone? Install a trusted password manager.

Cyclonis Password Manager is a tool that generates strong passwords for those who cannot come up with them themselves. It is also a tool that can safely store highly sensitive information, including passwords, credit card information, passport numbers, etc. It is a tool that can help you access private information from anywhere in the world using any device (given that the information is encrypted and stored on a cloud device). It is a tool that can help you take your virtual security to the next level for free.

December 27, 2018

Leave a Reply