Google password fill effort could kill Android malware's best tricks

Small boost to login speed could be a big roadblock for Marshmallow malware


Google may be paving the way to kill one of the few remaining avenues to compromise modern Android handsets in its bid to improve password security with a new open source API.

The feature, dubbed OpenYOLO (You Only Log In Once), will allow users to permanently log into all apps by entering their password manager credentials once.

Users who have turned up security settings must log into their password managers each time to access applications in what is a minor inconvenience.

The initiative is being sold as one that will make sign-in seamless.

Password management outfit Dashlane's community manager Malaika Nicholas says the company is working with "... other top password management companies, who will contribute their unique security and software development expertise to improve the design and implementation of this open API."

However an underlying benefit could be in the reduced use of special permissions on the latest Android platforms version five Lollipop and version six Marshmallow.

It could feasibly allow Google to better lock down the controls behind security PIN screens, frustrating malware writers' efforts to trick users.

Platforms like LastPass and Dashlane require users to approve permissions including application filling and draw-over-apps in order to insert passwords in third party apps.

Those same features are used by modern malware to gain powerful abilities to spy on applications and steal login information.

Skycure security researcher Yair Amit chained research to demonstrate how malware writers can use basic games to trick users into approving the permissions.

Others have warned of the rise of screen overlay -abusing malware. IBM's Limor Kessem has found one offering fetching up to US$15,000 increasing its price from US$5000. ®

Similar topics


Other stories you might like

  • Euro-telcos call on big tech to help pay for their network builds

    Aka 'rebalancing global technology giants and the European digital ecosystem'

    The European Telecommunications Network Operators' Association (ETNO) has published a letter signed by ten telco CEOs that calls for, among other things, Big Tech to pay for their network builds.

    The letter, signed by the CEOs of the Vodafone Group, BT Group, Deutsche Telekom, Telefónica, Orange Group and five more telco leaders, calls for a "renewed effort to rebalance the relationship between global technology giants and the European digital ecosystem".

    "A large and increasing part of network traffic is generated and monetized by Big Tech platforms, but it requires continuous, intensive network investment and planning by the telecommunications sector," the letter states, adding "This model – which enables EU citizens to enjoy the fruits of the digital transformation – can only be sustainable if such platforms also contribute fairly to network costs."

    Continue reading
  • AI-enhanced frog stem cells start to replicate in entirely new ways

    Xenobots scoop up loose cells to make more of themselves. We welcome our new overlords

    In January of 2020, scientists from the University of Vermont announced they had built the first living robots; this week they have published reports that those robots, made from frog cells and called Xenobots, can reproduce and have found a new way to do so.

    The millimetre-sized xenobots are essentially a computer-designed collection of around 3,000 cells. They were created by taking stem cells from frog embryos, scraping them, leaving them to incubate, then cutting them open and sculpting them into specific shapes. After all that action, the cells began to work on their own – auto-repairing when sliced and moving about inside petri dishes.

    With a little design tweak, the creatures could do even more. "With the right design, they will spontaneously self-replicate," said University of Vermont researcher Joshua Bongard, Ph.D. in a canned statement.

    Continue reading
  • Panasonic admits intruders were inside its servers for months

    Spotted the crack after it ended – still not sure what was lost

    Japanese industrial giant Panasonic has admitted it's been popped, and badly.

    A November 26 statement [PDF] from the company admits that its network "was illegally accessed by a third party on November 11, 2021". That date has since been revised – the company now says it became aware of the intrusion on the 11th, but that unknown entities had access to its systems from late June to early November.

    "After detecting the unauthorized access, the company immediately reported the incident to the relevant authorities and implemented security countermeasures, including steps to prevent external access to the network," the statement adds.

    Continue reading

Biting the hand that feeds IT © 1998–2021