Zack Whittaker, writing for ZDNet:

The attack, which was confirmed on the HTC One Max and Samsung’s Galaxy S5, allows a hacker to stealthily acquire a fingerprint image from an affected device because device makers don’t fully lock down the sensor.

Making matters worse, the sensor on some devices is only guarded by the “system” privilege instead of root, making it easier to target. (In other words: rooting or jailbreaking your phone can leave you at a greater risk.) Once the attack is in place, the fingerprint sensor can continue to quietly collect fingerprint data on anyone who uses the sensor.

“In this attack, victims’ fingerprint data directly fall into attacker’s hand. For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things,” Zhang said. And that’s a big problem. Fingerprints might be commonplace in mobile payments and unlocking devices, but they have been used more in the past five years also for identity, immigration, and for criminal records.

Sigh. If this is true, let’s hope the manufacturers are paying attention.