I think the interesting part is that either this software was able to access the biometric scan feature and inject their own data into it (which third party software should not be able to access or inject at all, only the OS should be able to access, and injecting should be impossible), or was able to access the Secure Enclave directly (which would be a really big deal and a major breach).