
Android phones with fingerprint sensors are at risk of being unlocked by attackers as researchers discover a new kind of brute-force attack known as “BrutePrint.”
The BrutePrint attack can access locked Android phones using unlimited trial-and-error attempts to bypass the device’s fingerprint sensor. Attackers could then gain unauthorised access to a victim’s smartphone, allowing them to snoop around a user’s private data.
Discovered by researchers at Tencent Labs and Zhejiang University (via Arxiv.org), the new attack was tested on ten smartphone models. This included popular phone brands Xiaomi, Vivo, OnePlus, Oppo and Samsung using Android OS, Huawei using HarmonyOS and iPhone using iOS.
Researchers claim that two zero-day vulnerabilities, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), allowed them to get over a smartphone’s security to block brute-force attacks, including attempt limits and liveness detection. On Android phones and Huawei devices, the researchers were able to gain an unlimited number of attempts to brute-force fingerprints – allowing them to gain access to the phone eventually. As for iPhone models, the BrutePrint attack allowed ten additional tries, but not enough for a brute-force attack.

As BleepingComupter points out, attackers need access to a fingerprint database in order to perform a brute-force attack. This can be done by using biometric data leaks or through academic datasets. The BrutePrint also requires the right equipment, which is said to cost around $15.

Hackers would need physical access to a victim’s phone for the BrutePrint attack to work, along with a considerable amount of time. According to the research paper, it would take between 2.9 and 13.9 hours to crack into an Android phone with a fingerprint sensor. However, this can drop to 0.66 hours when using multiple fingerprint images simultaneously.
As Apple, Microsoft and Google Passkeys aim to replace passwords using biometric safeguards such as fingerprint sensors, this new form of fingerprint brute-force attack may cause new security issues for smartphone users.
How do BrutePrint attacks work?
A BrutePrint attack works like a brute-force attack, as it requires an unlimited number of fingerprint image attempts to gain unauthorised access to a phone.
The fingerprint matches don’t need to precisely line up with the authorised fingerprint, reducing the time for attackers to gain access. A Fingerprint match uses a threshold, allowing threat actors to manipulate the False Acceptance Rate (FAR) to increase the required acceptance threshold.
The BrutePrint attack exploits the CAMF fault to allow for multi-sampling and stop smartphone error-cancelling safeguards. The phone’s security won’t register failed attempts, meaning attackers have unlimited chances to match a fingerprint without the fear of being locked out.
Thanks to the MAL exploit, the threat actors can get authentication results even if the device is in a “lockout” mode. This mode is when the smartphone locks out after several failed attempts. However, the MAL vulnerability can get past this, even during the “timeout” period of the Android phone.
What is a brute-force attack?
A brute-force attack is a hacking tactic used by threat actors that uses trial and error to crack passwords, encryption keys or any login credentials. Think of it like a high-speed guessing game to gain unauthorized access to devices or accounts.
Using automation software and scripts to go through countless password combinations, a brute-force attack can make hundreds of guesses per second. Given enough time, the idea is to guess the correct login information.
Weak passwords commonly used are most vulnerable to this form of attack. According to UK-based Custard Technical Services, the average time it takes to hack the top 30 most used passwords, which includes the usual culprits such as “123456,” “qwerty,” “password” and more, can take as little as 0.3 seconds.
However, passwords using various uppercase and lowercase letters, numbers and special characters in random patterns can take much longer. For example, using “2rdrta-R.J.J.T” on PasswordMaster.com, it will take 193 billion years for a brute-force attack to crack it.
It’s a simple method for hackers if login credentials are weak, but a brute-force attack can only go so far before it takes too long to break in.
Moral of the story? Use a strong password on all your accounts, and keep your device safe from being stolen. Using one of the best antivirus software can’t hurt either.
Use antivirus software to protect your device
The best way to get rid of any kind of attack is to use the best antivirus software.
The best antivirus apps come with a suite of security features that can get rid of virus, malware, ransomware, spyware or any malicious software that burrows into your Android. Many of the best also provide a password manager, which will help keep brute-force attacks at bay.
Some antivirus software, such as Bitdefender, offers security subscriptions specifically for Android, making it a more cost-effective option for those that only need Android protection.
We also recommend free apps from known cybersecurity companies, including Norton 360, Avast One, AVG and Malwarebytes Mobile Security. These will detect and remove malware on your Android. Check out our thoughts on each antivirus below.
- AVG Antivirus review: Free antivirus for the win
- Avast One review: Strong antivirus for free!
- Malwarebytes review: Premium is the way to go
- Norton 360 review: Optimal security