Share
A major security investigation has revealed that six in 10 Android smartphones can be tricked into unlocking using a simple 2D printed photograph.
The UK’s consumer association Which? conducted extensive lab testing on 208 mobile phone models since October 2022, finding that a staggering 133 devices (64% of those tested) failed to distinguish between a real human face and a flat image.
The flaw primarily affects devices that rely on standard 2D facial recognition systems. Unlike more sophisticated technology, these cameras capture a flat image that lacks depth perception, making it impossible for the software to distinguish between a high-resolution photo and a living person consistently.
The failure rate has fluctuated significantly over recent years. While 53% of phones failed in 2023, that figure spiked to 72% in 2024, before settling at 63% in 2025.
The list of vulnerable handsets includes high-end flagship models that retail for over £1,000, such as the Motorola Razr 50 Ultra and the Oppo Find X9 Pro. Samsung’s former flagship range, the Galaxy S25 series, also fell victim to the photo spoofing test.
However, there are signs of improvement in the latest hardware. Apple’s Face ID and the new Samsung Galaxy S26 series successfully passed the tests by using 3D mapping technology, which projects thousands of invisible dots to create a complex depth map of the user’s face.
Which? raised particular concern regarding manufacturers that fail to provide “adequate” warnings about these security limitations during device setup. Motorola, OnePlus, and the newer brand Nothing were singled out for either burying warnings in terms and conditions or failing to provide them prominently.
“In this age of cutting-edge technology, it seems unbelievable that phone cameras could be fooled by a printed photo – and yet they can be,” said Lisa Barber, Tech Editor at Which? The group warns that if a thief bypasses the lock screen, they could access private messages, reset account passwords via email and view sensitive photo galleries.
To mitigate the risk, users of affected models are urged to switch to fingerprint sensors or PIN codes for more robust security.
Phones that are ineligible for a Which? Best Buy or Great Value recommendation as they do not provide an adequate warning that their face recognition software can be bypassed include:
-
Fairphone 6
-
Honor Magic6 Lite 5G
-
Motorola Moto G75 5G, Motorola Edge 60 Pro, Motorola Edge 60 fusion, Motorola Moto G56 5G, Motorola G86, Motorola Edge 40 Neo, Motorola Moto g35, Motorola Moto g55, Motorola Razr 50 Ultra, Motorola Edge 50 Ultra, Motorola Edge 50 Pro, Motorola Moto G73
-
Nothing Phone (2a) Plus, Nothing Phone (3a), Nothing Phone (3a) Pro, Nothing Phone (3), Nothing Phone (2a)
-
OnePlus 13R, OnePlus 13, OnePlus Nord 5, OnePlus Nord CE5, OnePlus 15, OnePlus Nord 3 5G
-
Oppo Reno 13 F, Oppo Reno 13 Pro, Oppo Find X9 Pro, Oppo Find X9, Oppo Reno 11 F 5G
How to secure your phone
-
Switch to Fingerprint or PIN: If you own a phone with 2D face unlock that isn’t a recent Pixel phone, turn it off in your settings and use the fingerprint scanner or a 6-digit PIN.
-
Set a SIM PIN: It prevents a thief from taking your SIM card and putting it in another phone to intercept your bank’s security codes sent via text.
-
Extra Protection: Use ‘App Lock’ features (available on many Androids) to require a fingerprint specifically for sensitive apps like WhatsApp, your Email, or your Photo Gallery.
Phone security explained
The most common unlocking methods from most to least secure:
|
Security Level |
Method |
Why? |
|
Highest |
Long PIN / Complex Password |
The hardest for a stranger to guess or spoof digitally. |
|
High |
Fingerprint Sensor |
Very secure, as it requires your physical presence. |
|
High |
3D Face ID or Secure 2D (Pixel 8+) |
Uses depth mapping or advanced AI to prevent simple photo spoofing. |
|
Low |
Standard 2D Face Recognition |
Convenient, but as our tests show, often easily fooled by a photo. |
|
Lowest |
Pattern Unlock / Swipe |
Avoid these – they are easily ‘shoulder-surfed’ by someone watching you. |
Rights of reply:
A Fairphone spokesperson said: “At Fairphone, privacy and security are fundamental to our design. The Fairphone (Gen. 6) utilizes 2D facial recognition, which is categorized as a Class 1 biometric under Android’s security framework. This is a widely adopted industry standard utilized by many leading smartphone brands and inherently shares the same limitations.
“Because it is a Class 1 biometric, the Android system automatically enforces strict security restrictions; Face Unlock can only be used to access the lock screen and is strictly blocked from sensitive actions, such as NFC payments or banking apps.”
Honor explained that 2D systems have technical limits that can make them susceptible to being tricked by photos, videos, or silicone masks. Because of this, it views the feature as a tool for convenience rather than for authorising sensitive transactions. Users are informed during setup that the system is less secure than a password. For anyone needing top-tier security for things like banking, Honor suggests its flagship ‘Pro’ models, which carry 3D facial recognition built for those use cases.
A Motorola spokesperson said: “Security has always been at the core of what we do and the security of our consumers remains a top priority for Motorola. The Face Unlock technology is intended to support convenient unlocking of the phone, although Motorola reminds and recommends that consumers use a PIN, password or pattern for enhanced security. Also, if a consumer chooses to use Face Unlock for convenience after consenting to use this feature, they will also need to choose a pattern, PIN or password to secure their device. This added layer of protection secures the phone if the consumer is away from their phone for more than four hours or after restarting the device.”
OnePlus told Which? that it is already being transparent about these risks. It pointed to a mandatory ‘Statement on Using Face Recognition’ that every user must read before they can turn the feature on. This notice tells owners that the technology is less secure than a fingerprint or a numeric password. It also warns that, in rare cases, the camera could be tricked by an object or a person with a similar appearance to the owner.
Asus, HMD, Nokia, Realme, Samsung, Vivo, Xiaomi, Nothing and Oppo did not provide a comment for publication.
Related Posts
Discover more from Tech Digest
Subscribe to get the latest posts sent to your email.