Password managers on mobile devices can be tricked by imposter apps into handing over a user's passwords.
This according to a paper [PDF] from researchers with the University of Genoa and EURECOM, who found that the Android Instant Apps feature is designed and can ask for, and receive, stored credentials from password managers meant for other applications.
The idea is that Instant Apps, a feature intended to let user try out portions of an Android app without fully downloading it by running remotely hosted code, does not get properly distinguished from fully-installed apps by either users or password managers.
The researchers say that a number of popular Android password managers are also prone to falling for spoofed package names and metadata entries that lead them to conclude a spoofed app is authentic.
"This means that the package name of the Instant App is attacker-controlled, and that it is thus possible to trick password managers to auto-fill credentials for an attacker-chosen website even without requiring the installation of an additional app," the researchers explain.
"This allows an attacker to bootstrap an end-to-end phishing attack by luring the victim into visiting a malicious webpage: such webpage may contain, for example, a fake Facebook-related functionality."
The paper paints a picture of an attack scenario where an attacker would lure the user to a lookalike page, or even just a fake 'like' button, that would then prompt the user to approve opening a lookalike 'instant app' package that is connected to the attacker's server.
Microsoft 'kills' passwords, throws up threat manager, APIs Graph SecurityREAD MORE
From there, the malicious instant app would present itself as a valid app (such as Facebook) and request the password manager hand over login credentials. Neither the user, nor the password manager, would be aware they had been conned.
"We believe this attack strategy significantly lowers the bar, with respect to all known phishing attacks on the web and mobile devices: to the best of our knowledge, this is the first attack that does not assume a malicious app already installed on the phone and that does not even require the user to insert her credentials," the researchers say.
"These attacks are strictly more practical than all currently known mobile phishing works."
In the end, the researchers say the solution for the issue is not for password managers to change how they operate, but rather that Google develop a more reliable and secure method for password tools to verify that the apps asking for credentials are who they say they are.
"The key design issue is that all these mechanisms use package names as the main abstraction to work with, thus leaving developers of password managers with the daunting task of mapping apps to their associated domain names," the paper reads.
"Given the number of security issues and misplaced trust assumptions we have identified in leading password managers, we believe third-party developers should not be asked to implement this critical step." ®