Password managers can be tricked into believing that malicious Android apps are legitimate

Password managers from Keeper, Dashlane, LastPass, and 1Password found to be vulnerable, study finds.

A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios.

The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps.

What the research team found was that password managers, initially developed for desktop browsers, aren't as secure as their desktop versions.

The problem comes from the fact that mobile password managers have a hard time associating a user's stored website credentials with a mobile application and then creating a link between that website and an official app.

Also: The best password managers for 2018 CNET

Most password managers use an Android app's package name to establish a connection to a real-world website URL, and then associate the user's credentials for that website with a mobile app.

But within the Android ecosystem, package names cannot be trusted, as they can be faked by a malicious actor quite easily. This leads to situations where a malicious app can trick a mobile password manager into associating it with a legitimate website.

For example, when a user opens a malicious app and the app prompts for login credentials, password managers that get tricked by the fake app package name will suggest login credentials for a legitimate service, allowing the fake app to collect the user's username and password for later (ab)use.

password-managers-fooled.png

In the image above, the fake app uses a generic UI, but in the real world, attackers would almost certainly use apps that are near identical clones of legitimate apps, at a pixel level accuracy.

Even if a user might have suspicious about an app's authenticity, when a trusted password manager suggests to auto-fill login credentials, this might be the final piece that may sometimes push users into thinking the fake app is, in fact, real, when it is not.

Researchers say they tested the way five Android password managers create internal maps (connections) between a locally installed app and legitimate internet sites and found that four of the five were vulnerable to abuse.

Android versions of password managers from Keeper, Dashlane, LastPass, and 1Password were found to be vulnerable and have prompted the user to auto-fill credentials on fake apps during tests. Researchers found that Google's Smart Lock app did not fall for this fake package name trick, and the reason was because it used a system named Digital Asset Links to authenticate and connect apps to a particular online service.

password-managers-findings.png

But the research work didn't stop here. Academics also looked at what happens after a malicious Android app tricks a password manager into thinking it's legitimate.

Also: Worries arise about security of new WebAuthn protocol

The team found that password managers don't find it suspicious that some login forms use a 0.01 transparency setting --which makes login forms near invisible-- and they would auto-fill credentials inside these forms.

Similarly, password managers would also fill in passwords inside apps that come with login forms designed to use the same background and foreground color, making the forms blend into the app's background, and also in login forms with super minuscule dimensions of 1dp x 1dp.

On top of this, password managers would also auto-fill credentials inside login forms for apps loaded via a new Google technology named Instant Apps that allows users to test apps for a short amount of time.

Researchers argue that any app loaded as a (temporary) Instant App should be blacklisted on a password manager's list because this technology is used for previewing apps, and most of these apps won't live long on the user's device, hence, password managers should never trust these apps, regardless of package name.

Also: How to install and use the PassFF Firefox password manager TechRepublic

The research team says they contacted the companies behind all the tested password managers apps with their findings.

"They were very professional in handling the matter," said Yanick Fratantonio, one of the researchers behind the study. "Some of them should have their own blog posts about these findings."

As the researcher anticipated, some of them did. The Keeper team published a blog post with information on how they fixed the issue while a LastPass spokesperson provided ZDNet with the following statement.

This particular vulnerability in Android's app ecosystem was brought to our attention by the University of Genoa, Italy, and EURECOM researchers through our Bug Bounty Program. While continued efforts from the web and Android communities will also be required, we have already implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack detailed in this report. Our app now requires explicit user approval before filling any unknown apps, and we've increased the integrity of our app associations database in order to minimize the risk of any "fake apps" being filled/accepted. At this time, we have no indication or reason to believe that any sensitive LastPass user data has been compromised. As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible.

Fratantonio also says the research team contacted Google with their research and provided "a new getVerifiedDomainNames() API that builds on DAL entries" that they hope Google will include in the Android OS to improve app verification procedures.

Last but not least, the research team also recommended that developers of legitimate apps implement DAL entries for their apps and websites. These DAL entries will help password managers and other Android apps verify the identity of third-party apps in the future and prevent malicious apps from using fake package name and other identifiers.

More details about this research are available in a white paper published today by researchers from the University of Genoa, Italy, and EURECOM, a French cyber-security firm. The paper's name is " Phishing Attacks on Modern Android."

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

FBI solves mystery surrounding 15-year-old Fruitfly Mac malware

Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.

Meet Torii, a new IoT botnet far more sophisticated than Mirai variants

The evolving IoT botnet is able to compromise an impressive array of architectures.

Teenage Apple hacker avoids jail for 'hacky hack hack' attack

The self-proclaimed Apple fan stole roughly 90GB of confidential data from the iPad and iPhone maker.

Related stories: