Android password managers can be tricked into entering valid login credentials into phishing apps, a group of researchers has discovered.

They have also found that Instant Apps, a Google technology that allows users to “try” Android apps without the need to fully install them, can make phishing attacks more practical.

Android password manager Dashlane suggesting Facebook credentials to a fake malicious app

The research

Simone Aonzo, Alessio Merlo, and Giulio Tavella from the University of Genoa and Yanick Fratantonio from EURECOM tested a number of Android password managers – 1Password, Dashlane, Keeper, LastPass, and Google Smart Lock – and found that all except that last one trust an app if it has the correct app package name.

But that package name can be spoofed by phishers and that’s enough for the password manager to suggest (autofill) the credentials on the user’s behalf.

“It is interesting to note how, on the web, password managers do not ease phishing attacks, but quite the opposite. In fact, web password managers check the current website domain name to determine whether to auto-fill (or auto-suggest) credentials: if the domain name does not match the expectations, no credentials are suggested. Thus, an attacker that uses particular Unicode characters to create a facebook.com-looking domain name may fool a human, but not a password manager: the malicious domain name will be different from the legitimate one, and the password manager suggestion will not trigger,” the researchers pointed out.

“We thus argue that the mere fact that a mobile password manager is suggesting credentials associated with the target website inherently adds legitimacy to the attack, making it even more effective.”

Add to this that the password managers don’t notice the difference between an Instant App and a fully installed one, and it turns out that the password managers can be tricked into auto-filling credentials without even requiring the installation of an additional app.

“This allows an attacker to bootstrap an end-to-end phishing attack by luring the victim into visiting a ma- licious webpage: such webpage may contain, for example, a fake Facebook-related functionality. Upon clicking on it, the Instant App mechanism is triggered, the attacker can spoof a full-screen Facebook login form, at which point the password manager would offer to automatically fill the credentials on behalf of the victim,” they explained.

And, finally and unfortunately, the password managers will also fill hidden fields.

The proposed solution: A new API

The researchers believe a new API is in order to fix these vulnerabilities, and that this new getVerifiedDomainNames() API shouldn’t trust package names but should check whether the domain asking for the credentials is associated with the app that connects to it.

For the password managers to be able to do that, websites owners should be forced to publish an “assets” file on their website so that an app-website “link” can be established.

Unfortunately, this mechanism can’t be currently implemented as an overwhelming majority (98%) of domains extracted from the password managers don’t have an assetlinks.json compatible with the proposed API. This solution would, therefore, require a community-wide effort.

As an interim solution, the vulnerable password managers can do what Google did with Smart Lock.

“Google Smart Lock has addressed these problems by not relying on a fully automatic technique (developers need to manually fill a Google form) and by supporting app-to-web sync only when a secure mapping exists. We argue that the rest of password managers should follow a similar approach and warn the user about potential problems when a secure app-to-web association cannot be established,” the researchers added.