Attackers can extract data from fingerprint sensors on Android phones remotely due to inadequate protection mechanisms, researchers have discovered, putting authentication for mobile payments at risk.
The biometrics security flaw comes as the growing number of serious Android vulnerabilities force Google to provide monthly patch updates for its Nexus phones.
Tao Wei and Yulong Zhang of infosec firm FireEye will today debut their research into the fingerprint sensor security vulnerability at the Black Hat conference in Las Vegas.
The researchers said "severe issues" exist within the current Android fingerprint frameworks, which had "long been neglected" by vendors and users.
They outlined three specific security problems with the current designs.
One - a confused authorisation attack - is enabling malware to bypass pay authorisations protected by fingerprints, Wei and Zhang said.
They also highlighted design flaws within ARM's TrustZone hardware security framework which allowed a fingerprint sensor spying attack to harvest fingerprints, as well as pre-embedded fingerprint backdoors.
Wei and Zhang will detail their findings - including a live demo - later today.
The researchers told ZDNet affected vendors had provided patches after being notified of the issue.
"Unlike passwords, fingerprints last a lifetime and are usually associated with critical identities," the researchers' presentation blurb states.
"Thus, the leakage of fingerprints is irredeemable. It will be even a disaster if the attackers can remotely harvest fingerprints in a large scale."
Samsung, Motorola, Huawei, Oppo and HTC all currently sell Android devices equipped with fingerprint sensors.
Samsung's Knox device partitioning uses ARM's TrustZone in its Integrity Measurement Architecture (TIMA) built into the Galaxy S6 flagship smartphone.
Google recently revealed its upcoming new version of Android, Android M, would for the first time provide OS-level support for fingerprint scanners.
Growing flaws force Google to act on security
Google will now provide monthly Android software updates to its line of Nexus phones to improve mobile security.
It rolled out the first of such updates today, which included a fix for the dangerous Stagefright bug revealed late last month.
The move is in response to the growing number of Android vulnerabilities being discovered: in just the past few months, Stagefright was joined by a denial-of-service bug that can turn devices into vegetables, as well as weaknesses in Android's factory reset function that meant data wasn't being properly wiped and could be recovered.
The new approach means Nexus devices will receive major updates for at least two years and security patches for three years from either when the device first became available, or 18 months after the last device sells.
Google will also make the updated software publicly available through the Android Open Source Project - the license-free version of Android - meaning devices like Amazon's Fire OS tablets can also ensure their products are patched.
The company has provided monthly security bulletins to OEM partners like Samsung and HTC for the past three years.
But handset makers still remain at the mercy of their carrier partners to deploy software fixes to end users, which historically can takes years, if at all.
However, Samsung today said it would start implementing a new fast-track process for security patches, and will push over-the-air updates on a monthly basis.
It said it recently took such an approach with security updates to its Galaxy devices to address the Stagefright bug.
Samsung said it was in discussions with carriers globally to implement the new approach.
“With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," Samsung's head of mobile research and development Dong Jin Koh said in a statement.
"Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected. We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users."