This brute-force fingerprint attack could break into your Android phone

Google Android figure standing on laptop keyboard with code in background
(Image credit: Shutterstock / quietbits)

There is a way to “brute-force” fingerprints on Android devices and with physical access to the smartphone, and enough time, a hacker would be able to unlock the device, a report from cybersecurity researchers at Tencent Labs and Zhejiang Unversity has claimed.

As per the report, there are two zero-day vulnerabilities present in Android devices (as well as those powered by Apple’s iOS and Huawei’s HarmonyOS), called Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL). 

By abusing these flaws, the researchers managed to do two things: have Android allow an infinite number of fingerprint scanning attempts; and use databases found in academic datasets, biometric data leaks, and similar.

Cheap hardware

To pull the attacks off, the attackers needed a couple of things: physical access to an Android-powered smartphone, enough time, and $15 worth of hardware.

The researchers named the attack “BrutePrint”, and claim that for a device that only has one fingerprint set up, it would take between 2.9 and 13.9 hours to break into the endpoint. Devices with multiple fingerprint recordings are significantly easier to break into, they added, with the average time for “brute-printing” being between 0.66 hours and 2.78 hours.

The researchers ran the test on ten “popular smartphone models”, as well as a couple of iOS devices. We don’t know exactly which models were vulnerable, but they said that on Android and HarmonyOS devices, they managed to achieve infinite tries. For iOS devices, however, they only managed to get an extra ten attempts on iPhone SE and iPhone 7 models, which is not enough to successfully pull off the attack. Thus, the conclusion is that while iOS might be vulnerable to these flaws, the current method of breaking into the device via brute force won’t suffice. 

While this type of attack might not be that attractive to the regular hacker, it could be used by state-sponsored actors and law enforcement agencies, the researchers concluded. 

Via: BleepingComputer

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Passwordless authentication continues to grow, with biometrics helping push adoption
Find My app logo displayed on an iPhone 11 screen
This Find My exploit lets hackers track any Bluetooth device – here’s how you can stay safe
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
A padlock image floating over a smartphone.
Best secure smartphones of 2025
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Apple users facing new security risks after critical USB component hacked
Latest in Phone & Communications
GlocalMe KeyTracker
When I tested this global tracker, it trounced the Apple AirTag in so many ways
Privacy Hero II
Privacy Hero II VPN Router
ThinkPhone 25 by Motorola
I reviewed the ThinkPhone 25 by Motorola and while it's not as fast as its predecessor, it's the superior phone in so many ways
FRITZ!Box 7690 WiFi 7 Router
FRITZ!Box 7690 router review
Ulefone Armor Pad 4 Ultra Thermal
Ulefone Armor Pad 4 Ultra Thermal rugged tablet review
Unihertz Tank Pad 8849
Unihertz Tank Pad 8849 rugged tablet review
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring