2 min read

Researchers use Android password managers to make phishing attacks more practical

Filip TRUȚĂ

October 02, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Researchers use Android password managers to make phishing attacks more practical

Password managers promise not only to make life easy, but also to keep your login information safe from prying eyes. Yet one team of researchers has discovered that someone with bad intentions can take advantage of mobile password managers to gain unauthorized access to their accounts.

Simone Aonzo, Alessio Merlo, and Giulio Tavella from the University of Genoa and Yanick Fratantonio from EURECOM found that certain Android password managers can be tricked into entering valid login credentials into phishing apps. The trick even works with Google”s try-before-you-buy Instant Apps, which allows users to take apps for a spin without actually installing their contents on the device.

The trio put to the test a number of popular password managers, including 1Password, Dashlane, Keeper, LastPass, and Google Smart Lock. All but the last were found vulnerable to their proof-of-concept which they explain as follows:

“To exploit the first mapping strategy, the attacker can create an app with a package name beginning with the reverse of the target domain name. For example, we created an app with package name com.facebook.evil and we were able to upload it to the Play Store without problems: when the user opens this app, LastPass automatically suggests credentials related to facebook.com.”

Unlike web password managers, which check the website domain name and other aspects to determine whether to auto-fill credentials, Android password managers only look at the app”s package name to authorize.

Fixing the problem would require quite an effort on behalf of website owners and application developers alike, the researchers said. The former group would have to create new APIs for the developers to interrogate in the authorization process. A quick solution would be to mimic Google Smart Lock”s functionality:

“Google Smart Lock has addressed these problems by not relying on a fully automatic technique (developers need to manually fill a Google form) and by supporting app-to-web sync only when a secure mapping exists. We argue that the rest of password managers should follow a similar approach and warn the user about potential problems when a secure app-to-web association cannot be established,” the researchers said.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Unknown Person Zoom-Bombs Meeting in Italian Parliament and Blasts Anime Adult Content Unknown Person Zoom-Bombs Meeting in Italian Parliament and Blasts Anime Adult Content
Silviu STAHIE

January 21, 2022

1 min read
FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations FBI Links Diavol Ransomware to Trickbot, Offers IOCs and Mitigations
Filip TRUȚĂ

January 21, 2022

2 min read
Data of 500,000 already vulnerable people stolen from Red Cross Data of 500,000 already vulnerable people stolen from Red Cross
Radu CRAHMALIUC

January 20, 2022

1 min read