Sure, your fingerprint is one of a kind, but it might not keep your personal information safe any longer. That’s because a new version of the Chameleon Android malware reportedly allows bad actors to bypass your fingerprint feature to steal your PIN.
According to researchers with ThreatFabric, the malware effectively tricks people into turning on accessibility services, which then allows attackers to change the phone from a biometric to a PIN lock. It does this, according to Bleeping Computer, by posing as legitimate Android apps and then displaying an HTML page that asks potential victims to turn on accessibility settings. This allows attackers to bypass protections, including fingerprint unlock. Then, when a victim uses the PIN to log-in instead of a fingerprint, the attackers are able to steal that PIN or any password.
People should be careful to make sure if they use an app, especially a banking app, that it is legitimate.
“These enhancements elevate the sophistication and adaptability of the new Chameleon variant, making it a more potent threat in the ever-evolving landscape of mobile banking trojans,” ThreatFabric said.
Bleeping Computer noticed the primary distribution method for the malware was Android package files (APKs) from unofficial sources.
So be careful out there. Even your unique fingerprint might not be enough to protect you.