A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios.
The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps.
What the research team found was that password managers, initially developed for desktop browsers, aren't as secure as their desktop versions.
The problem comes from the fact that mobile password managers have a hard time associating a user's stored website credentials with a mobile application and then creating a link between that website and an official app.
Also: The best password managers for 2018 CNET
Most password managers use an Android app's package name to establish a connection to a real-world website URL, and then associate the user's credentials for that website with a mobile app.
But within the Android ecosystem, package names cannot be trusted, as they can be faked by a malicious actor quite easily. This leads to situations where a malicious app can trick a mobile password manager into associating it with a legitimate website.
For example, when a user opens a malicious app and the app prompts for login credentials, password managers that get tricked by the fake app package name will suggest login credentials for a legitimate service, allowing the fake app to collect the user's username and password for later (ab)use.
In the image above, the fake app uses a generic UI, but in the real world, attackers would almost certainly use apps that are near identical clones of legitimate apps, at a pixel level accuracy.
Even if a user might have suspicious about an app's authenticity, when a trusted password manager suggests to auto-fill login credentials, this might be the final piece that may sometimes push users into thinking the fake app is, in fact, real, when it is not.
Researchers say they tested the way five Android password managers create internal maps (connections) between a locally installed app and legitimate internet sites and found that four of the five were vulnerable to abuse.
Android versions of password managers from Keeper, Dashlane, LastPass, and 1Password were found to be vulnerable and have prompted the user to auto-fill credentials on fake apps during tests. Researchers found that Google's Smart Lock app did not fall for this fake package name trick, and the reason was because it used a system named Digital Asset Links to authenticate and connect apps to a particular online service.
But the research work didn't stop here. Academics also looked at what happens after a malicious Android app tricks a password manager into thinking it's legitimate.
The team found that password managers don't find it suspicious that some login forms use a 0.01 transparency setting --which makes login forms near invisible-- and they would auto-fill credentials inside these forms.
Similarly, password managers would also fill in passwords inside apps that come with login forms designed to use the same background and foreground color, making the forms blend into the app's background, and also in login forms with super minuscule dimensions of 1dp x 1dp.
On top of this, password managers would also auto-fill credentials inside login forms for apps loaded via a new Google technology named Instant Apps that allows users to test apps for a short amount of time.
Researchers argue that any app loaded as a (temporary) Instant App should be blacklisted on a password manager's list because this technology is used for previewing apps, and most of these apps won't live long on the user's device, hence, password managers should never trust these apps, regardless of package name.
Also: How to install and use the PassFF Firefox password manager TechRepublic
The research team says they contacted the companies behind all the tested password managers apps with their findings.
"They were very professional in handling the matter," said Yanick Fratantonio, one of the researchers behind the study. "Some of them should have their own blog posts about these findings."
As the researcher anticipated, some of them did. The Keeper team published a blog post with information on how they fixed the issue while a LastPass spokesperson provided ZDNet with the following statement.
This particular vulnerability in Android's app ecosystem was brought to our attention by the University of Genoa, Italy, and EURECOM researchers through our Bug Bounty Program. While continued efforts from the web and Android communities will also be required, we have already implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack detailed in this report. Our app now requires explicit user approval before filling any unknown apps, and we've increased the integrity of our app associations database in order to minimize the risk of any "fake apps" being filled/accepted. At this time, we have no indication or reason to believe that any sensitive LastPass user data has been compromised. As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible.
Fratantonio also says the research team contacted Google with their research and provided "a new getVerifiedDomainNames() API that builds on DAL entries" that they hope Google will include in the Android OS to improve app verification procedures.
Last but not least, the research team also recommended that developers of legitimate apps implement DAL entries for their apps and websites. These DAL entries will help password managers and other Android apps verify the identity of third-party apps in the future and prevent malicious apps from using fake package name and other identifiers.
More details about this research are available in a white paper published today by researchers from the University of Genoa, Italy, and EURECOM, a French cyber-security firm. The paper's name is " Phishing Attacks on Modern Android."
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.
The evolving IoT botnet is able to compromise an impressive array of architectures.
The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.
- NSA says searches of Americans' data spiked in 2017
- Pennsylvania Senate Democrats paid $700,000 to recover from ransomware attack
- Man gets two years in prison for sabotaging US Army servers with 'logic bomb'
- What technical skills is NSA looking for?
- Why the 'fixed' Windows EternalBlue exploit won't die
- Remove yourself from people search sites and erase your online presence
- Google secretly logs users into Chrome whenever they log into a Google site
- Python is a hit with hackers, report finds
- Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others
- Port of San Diego suffers cyber-attack, second port in a week after Barcelona
- Android spyware in development plunders WhatsApp data, private conversations
- New Linux 'Mutagen Astronomy' security flaw impacts Red Hat and CentOS distros
- French cyber-security agency open-sources CLIP OS, a security hardened OS
- Cisco: Linux kernel FragmentSmack bug now affects 88 of our products
- Firefox bug crashes your browser and sometimes your PC