Researchers claim to have discovered a serious flaw affecting the fingerprint scanners used on Android smartphones, such as the Samsung Galaxy S5.
FireEye’s Yulong Zhang and Tao Wei told Forbes that it’s possible for hackers to “easily” steal biometric data stored on a mobile before it’s been properly secured in the ‘trusted zone’.
They could then create copies of users’ fingerprints, and commit further attacks.
“If the attacker can break the kernel, although he cannot access the fingerprint data stored in the trusted zone, he can directly read the fingerprint sensor at any time,” said Zhang.
“Every time you touch the fingerprint sensor, the attacker can steal your fingerprint.
“You can get the data and from the data you can generate the image of your fingerprint. After that you can do whatever you want.”
Zhang and Wei said this issue could affect all fingerprint scanner-equipped Android handsets running Android 5.0 Lollipop and below, though attackers would require a high level of access to the targeted phone.
FireEye singled the Galaxy S5 out for deeper criticism, since attackers would simply need access to its memory in order to steal information.
“Samsung takes consumer privacy and data security very seriously,” the company reportedly responded. “We are currently investigating FireEye’s claims.”
Related: Android 5.0 Lollipop tips and tricks
Updating to Android 5.1.1 should remove the vulnerabilities, according to Zhang and Wei.