Skip to content

Attacks and Demos

Translucent-attack on a fingerprint demo app

Translucent-attack is the most basic form of PHYjacking. When the target app forgets to cancel the background sensor access or cancels it in the wrong Activity Lifecycle event, the malicious app can use an Activity with the translucent property as the delusive covering to hide the target app and lure for authorization.

This works generally for physical inputs from sensors like camera and microphone. For fingerprint scanner, it works for Android 6 to 8.1 before a system-level mitigation was introduced in Android 9.

PoC

Multiwindow-bypass on a fingerprint demo app

When the device is running in the multi-window mode (also known as split-window mode), by launching the target app and the malicious translucent covering in the adjacent window, the fingerprint-jacking is possible on Android 9+, bypassing the system mitigation in the FingerprintManager API.

PoC

Race-attack on a fingerprint demo app

Race-attack is the most powerful PHYjacking attack. It exploits a bug we identified in Android Activity Lifecycle model implementation. It can invalidate both the fingerprint API mitigation added in Android 9 and any user-level attack detections that relie on lifecycle events. This attack was verified to work on Android 9 to Android 12.

PoC

Fingerprint-jacking on a real app: Magisk Manager

Old version of Magisk Manager has insecure implementation of fingerprint authorization for root access granting. The following videos shows a fingerprint-jacking attack against Magisk Manager to steal root access.

Mobile payment apps are interesting target of PHYjacking attacks. We conducted PoC attack on several popular mobile payment apps. The following video is arranged in a blind test manner where only one of the side-by-side window undergoes a facejacking attack.

Can you spot which one is which?

Only one of the video is showing the facejacking attack.

Show the answer

The right side clip shows the screen under a facejacking attack. The left side clip is a screen recording of normal app usage without any attack. At the end a payment to the malicious app was made in the right side device.