A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios.
The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps.
What the research team found was that password managers, initially developed for desktop browsers, aren’t as secure as their desktop versions.
The problem comes from the fact that mobile password managers have a hard time associating a user’s stored website credentials with a mobile application and then creating a link between that website and an official app.
CNET: The best password managers for 2018
Most password managers use an Android app’s package name to establish a connection to a real-world website URL, and then associate the user’s credentials for that website with a mobile app.
But within the Android ecosystem, package names cannot be trusted, as they can be faked by a malicious actor quite easily. This leads to situations where a malicious app can trick a mobile password manager into associating it with a legitimate website.
For example, when a user opens a malicious app and the app prompts for login credentials, password managers that get tricked by the fake app package name will suggest login credentials for a legitimate service, allowing the fake app to collect the user’s username and password for later (ab)use.
In the image above, the fake app uses a generic UI, but in the real world, attackers would almost certainly use apps that are near identical clones of legitimate apps, at a pixel level accuracy.
Even if a user might have suspicious about an app’s authenticity, when a trusted password manager suggests to auto-fill login credentials, this might be the final piece that may sometimes push users into thinking the fake app is, in fact, real, when it is not.
Researchers say they tested the way five Android password managers create internal maps (connections) between a locally installed app and legitimate internet sites and found that four of the five were vulnerable to abuse.
Android versions of password managers from Keeper, Dashlane, LastPass, and 1Password were found to be vulnerable and have prompted the user to auto-fill credentials on fake apps during tests. Researchers found that Google’s Smart Lock app did not fall for this fake package name trick, and the reason was because it used a system named Digital Asset Links to authenticate and connect apps to a particular online service.
But the research work didn’t stop here. Academics also looked at what happens after a malicious Android app tricks a password manager into thinking it’s legitimate.
The team found that password managers don’t find it suspicious that some login forms use a 0.01 transparency setting –which makes login forms near invisible– and they would auto-fill credentials inside these forms.
Similarly, password managers would also fill in passwords inside apps that come with login forms designed to use the same background and foreground color, making the forms blend into the app’s background, and also in login forms with super minuscule dimensions of 1dp x 1dp.
On top of this, password managers would also auto-fill credentials inside login forms for apps loaded via a new Google technology named Instant Apps that allows users to test apps for a short amount of time.
Researchers argue that any app loaded as a (temporary) Instant App should be blacklisted on a password manager’s list because this technology is used for previewing apps, and most of these apps won’t live long on the user’s device, hence, password managers should never trust these apps, regardless of package name.
TechRepublic: How to install and use the PassFF Firefox password manager
The research team says they contacted the companies behind all the tested password managers apps with their findings.
“They were very professional in handling the matter,” said Yanick Fratantonio, one of the researchers behind the study. “Some of them should have their own blog posts about these findings.”
Fratantonio also says the research team contacted Google with their research and provided “a new getVerifiedDomainNames() API that builds on DAL entries” that they hope Google will include in the Android OS to improve app verification procedures.
Last but not least, the research team also recommended that developers of legitimate apps implement DAL entries for their apps and websites. These DAL entries will help password managers and other Android apps verify the identity of third-party apps in the future and prevent malicious apps from using fake package name and other identifiers.
More details about this research are available in a white paper published today by researchers from the University of Genoa, Italy, and EURECOM, a French cyber-security firm. The paper’s name is “Phishing Attacks on Modern Android.”