How to gain unauthorized fingerprint access to an LG V10

by: John DyeFebruary 12, 2016

Youtuber Matt OnYourScreen has discovered a pretty unsettling way to bypass all of the security on an LG V10 and potentially gain unlimited access to the device in the future. Any LG V10 running Nova Launcher is vulnerable to this attack, and all it takes is about 30 seconds of access to the device.

To be fair, the circumstances have to be pretty perfect to be able to pull off this trick on a V10. Here’s the breakdown of how it works, but bear in mind we are in no way condoning the malicious use of this work-around. Rather, we want to make it clear how easily this vulnerability can be exploited and demonstrate the steps necessary to protect your device from exploitation.

MediaTek development USBSee also: MediaTek-related bug leaves KitKat devices vulnerable7

Say someone lends you their smartphone for a minute or two. Maybe they’re showing off some cool app, maybe you’ve asked to make a call… either way, all you need is a few moments in which you have access to the V10’s screen and they aren’t paying attention.

If this person isn’t running Nova Launcher, the game’s up here. This vulnerability is only known to work on this particular launcher so far, so if your quarry is operating Google Now then they are safe from your malicious intent. However, if they are running Nova Launcher, you can tap the Home button while on the main home screen, then tap the Widgets option. Add a Nova Action widget to the home screen, and then choose the activity “com.lge.fingerprintsettings.” (1)

Source: Matt OnYourScreen

Pause here for a second, because this is where the vulnerability exists. Through the normal Settings menu, it’s impossible to access this particular activity before going through a security checkpoint and confirming either a fingerprint or PIN. However, since Nova is able to ignore the normal menu flow that leads to this screen, it creates a situation where a user can add their own fingerprint to the list of allowed fingerprints without ever proving that they have authorized access to the device.

The widget on the homescreen will now lead directly to fingerprint settings, and you can add your own fingerprint before deleting the widget, leaving little trace of your actions. Unless the additional fingerprint is noticed and deleted by the primary user, you will have unlimited access to the device from here on out.

Source: Matt OnYourScreen

There is, however, a very simple fix to prevent this exploit from working. The LG V10 only supports four fingerprint profiles. Any attempts to add a fifth profile will fail. Therefore if you want to protect this device from this vulnerability, all you have to do is scan in four fingerprints to fill up that list. Alternatively, you can use another launcher besides Nova. (2)

Source: Matt OnYourScreen

What do you think of this security settings bypass? Is this a problem that could exist on other phones running Nova Launcher? Let us know your opinions in the comments below!

Thanks, Matt OnYourScreen!

Android-malwareNext: Google bans 13 apps that secretly download other malware49
  • Damon Owens

    good thing I don’t really care for launchers

    • vamp07

      You don’e need to care about launchers for the hack to still work. Just add install nova or any number of launchers to the steps required to implement the hack.

      • Damon Owens

        I’m saying that, for me, it’s not an exploit that will make me exchange my v10 for another phone because a launcher that I do have the pro version of will allow, or help aid in to someone getting in to my phone. Sure you may be able to add other launchers in to the equation, but I’m talking about one of, if not the most popular launchers on android. Plus since there are other exploits for thieves to get in to phones, such as factory resetting the phone(which can be safe guarded by Google locking your phone so it’s basically useless) I just think exploits through a launcher is less likely because majority of the consumer base runs phones stock out of the box and only really change wallpapers and ring tones. So in the grand scheme of things this would only truly apply to the hardcore android base that use launchers on their phones, which is small in itself compared to the potential victims of theft.

        • vamp07

          I don’t think anybody is arguing this is a reason to dump the v10 but it is an example of poor security. It makes the finger reader of little value for security purposes (if security is a concern) until marshmallow is ported and LG’s fingerprint reader is discarded in favor of android’s native implementation.

  • Jason Benedicto

    Lool done this to samsung note 5 and it works…not… Since you need to be rooted for this to work… But still bad nova bad nova

    • tanjiajun34

      I thought this does not require root? It is just a shortcut to run an activity of the settings apps. The fingerprint settings activity, bypassing all the checks.

      • TheDude

        nope it doesn’t

    • TheDude

      It used to work on the galaxy s6, with an older software version (according to @tanjiajun34:disqus )

  • Emanuel

    Only on the LG V10? Good … I was getting worried about my Note 4

  • abazigal

    Since the issue is with Nova launcher, looks like something that should be patched relatively quickly.

  • Gary Hicks

    Confirmed not working on the 6P.

  • Rotaru Cristian-Florin

    Nova or any other aplication which creates shortcuts, right? Also, if you hand your phone to anyone, they can install nova launcher if there is a internet connection, do these steps and uninstall nova

    • epdm2be

      If all fingerprints-slots are filled in there’s no problem. You can’t remove a print an re-scan another with that shortcut. So it is only useful when not all fingerprints-slots are used.

  • s2weden2000

    “potentially gain unlimited access to the device in the future.” except in the “future” the glitch will be fixed .. i bet it is a rooted device …

  • Robert Myers

    On my phome, the moto e (i know, sad lol) I can bypass lock scren by saying ok Google, then asking for directions, then backing out of directions. This takes you to main app screen.

    • Randy N. Gaston

      That is because in the security settings under ‘smart lock’ you have ‘trusted voice’ set to on. Trusted voice lets you say ‘ok google’ when the screen is on to unlock your phone. It is a feature and not a flaw.

      • Nik

        It’s a feature not a flaw – sounds so apple-ish. But yeah you’re right

  • tanjiajun34

    Actually I found the same security loophole with my s6 edge in the past during its earlier firmware versions. I just did my part and report to Samsung.

  • Kashif Nawaz

    I checked my Samsung S6. It’s still asking for password when I try to open fingerprint setting via activity shortcut.

  • Chauntella Stephanie Brown

    Wohhh this is scary.

  • Abhijeet

    This sounds like more of an issue of LG’s fingerprint authentication process than Nova launcher’s.

  • Jason Kim

    Isn’t this mainly because (THIS IS JUST MY THOUGHT… PLZ don’t kill me lol)

    LG V10 still runs Lollipop and Lollipop does not officially support Fingerprint functions (Starts from marshmallow)…
    Thus, LG had to run their fingerprint function in separate app or somehow (idk exactly since I am not developer or anything)

  • Žiga Štupar

    Well this is not LGs problem or fault at all, becouse Nova Launcher is not original LG software.

    • Rotaru Cristian-Florin

      Actually, it is LG’s fault. They let this fingerprint application unsecured.

      • Žiga Štupar

        nope user who insttaled nova launcher is at fault here

        • Latheryin

          Not even close. Android is about the ability to change this. It is a hole who cares who’s fault it is. Now that it is known it will be patched.

      • abqnm

        The app is secured, but only from the normal entry point. LG didn’t prevent the activity from being launched outside the normal entry point. This means that even ADB can do this. Or one of any number of apps that allow for launching activities directly.

        You’re correct. This is absolutely 100% LG’s issue. You should not ever be able to bypass security measures by installing apps from the play store.

  • epdm2be

    This also works on galaxy S5. The shortcut points to activity.StartEnrolactivity. This is easy to fix, just register all fingerprints (in the case of S5 that are 3 fingerprints.). When all fingers are registered you can’t remove one and re-register another though. As for the “bad nova” comments, this is a specific Nova feature. There’s nothing bad about it. Samsung and LG are to blame, they should guard their register- routine much better.

  • aaloo

    People are so funny. Dude, it’s android. Do you really think your finger print authentication is secure on android. Even sudhar pichai said android is not designed for security.


    Register 4 fingers and put all the tech trolls to sleep

  • James

    Nova is not the issue here, its just the tool being used in the example, any app that allows access to actions could be used or a purpose built app could do it.

    LG is at fault for not securing the action of adding a fingerprint.

    However the Youtuber ideally should have notified LG and given them time to fix it before publishing the issue.

    Though this type of security vulnerability would be classed as low risk, because the attacker would need to gain unlocked access to your phone in the first place.

    • Ichibanmugen

      It does however show that the security level is at UI level rather than system level so it is a bit flawed. I’m pretty sure LG will sort this out when they release MM on it

  • Nathaniel Sherman

    I find it disappointing for a site that generally shows a breadth and depth of Android knowledge to unnecessarily lead users to (mis)construe an article as slander against a single app. Any app which allows direct access to Activities, including any number of other launchers as well as other tools, provides the same means to bypass LG’s simple UI-only security check. The fact is that the pertinent Activity should double check authentication before allowing fingerprint input (just as any other security related Activity, system or app, should do the same).

  • abqnm

    @AndroidAuthority team, why no mention of reporting this to LG or following proper responsible disclosure? It’s pretty shady to post the vulnerability without ensuring LG had already been notified and failed to respond. Only then should this be published. I can only assume this was not done because nothing was mentioned regarding contacting LG.

    Be responsible. This is shameful.

  • Choda Boy

    Why are people blaming Nova Launcher? Like other apps, it allows you to create a shortcut to an activity. The burden of securing access to the activity is on the creator of the activity itself, not the shortcut creator.

  • vamp07

    I’m pretty sure you would have to have given Nova accessibility and or device admin priv before this would works. Does anybody else know? If I get a change I’ll test.

  • RiTCHiE

    LOL again kinda misleading because who the hell has nova launcher on their phone and with 3rd party things there is always risk.

  • Luke Tan

    Well, my V10 doesn’t even recognise my own fingerprints, so I’m not worried it’ll recognise anyone else’s.

    Joke aside, the fingerprint sensor on this thing is crap. It only unlocks on the first try half of the time, and never when my fingers are the least bit oily or wet. (And yes, I have the update that fixes the case issue.)

    Best of all time is still the one on the Nexus 6P.