https://www.bleepingcomputer.com/news/security/chameleon-android-malware-disables-biometric-unlock-to-steal-pins/

The Chameleon Android banking trojan has re-emerged with a new version that uses a tricky technique to take over devices — disable fingerprint and face unlock to steal device PINs.

It does this by using an HTML page trick to acquire access to the Accessibility service and a method to disrupt biometric operations to steal PINs and unlock the device at will.