Hitoshi Kokumai
2 min readDec 23, 2023

“Android Banking Trojan Chameleon can now bypass any Biometric Authentication”

We could easily think of two ways to break/bypass biometrics -

(1) By taking advantage of the zone of False Acceptance, for which AI-enhanced spoofing technique hells a lot.

(2) By attacking a weak default password/pincode that is deployed with probabilistic biometrics in a security-destructive two/multi-entrance formation (as against an ostensibly security-enhancing two/multi-entrance formation.

In any case, both are the threats about which we have kept warning for more than two decades and for which we came up with the conclusive ruling as a 2minute video seven years ago — ‘Biometrics in Cyber Space — “below-one” factor authentication’

Interested to know more about the security-destructive effect of biometrics authentication and biometrics-involved MFA? — You could refer to this collection of biometrics blogs “Probabilistic Biometrics Unravelled : How it brings down identity security”

(3) We would certainly be curious to know if another channel to bypass the biometrics is found.

Thanks to Jim Angleton for bringing me to this intriguing report -



