Password managers can be tricked into believing that malicious Android apps are legitimate

A new academic survey released today revealed that it is difficult for Android-based password manager to distinguish between legitimate and fake applications, leading to simple phishing scams.

In this survey we looked at how the password administrator was operating on the modern version of the Android operating system and the features of the operating system that an attacker could use to gather credentials. By a malicious attack.

The research team discovered that the password manager originally developed for the desktop browser is not as secure as the desktop version.

This problem is due to the fact that the Mobile Password Manager can not create a link between the Web site and the Web site after associating the stored Web site identification information with the mobile application I will. Official application.

CNET: The best password manager in 2018

Most password managers use the Android application's package name to connect to the actual website URL and associate the user's credentials for that site. From Web to Mobile Application

However, in the Android ecosystem, it can be easily operated by a malicious actor, so you can not trust the package name. This leads to situations where a malicious application can associate a legitimate website with a mobile password manager.

In the case of exle, if the user opens a malicious application and the application requests login information, the incorrect password manager in the package name of the application presents the credentials. Allow connections of legitimate services so that fake applications can gather user's user name and password. Further use (ab).

In the image above, fake applications use a general UI, but in the real world, applications close to legitimate application clones are used with pixel level precision.

The user may be paying attention to the reliability of the application, but if the trusted password manager automatically suggests to enter the login credentials, the last one to let the user believe the wrong application is actually There is a possibility of acting from an element. It's not.

Researchers found that five Android password managers created internal maps (connections) between locally installed applications and legitimate websites and found that four out of five were vulnerable to misuse .

The Android version of Keeper, Dashlane, LastPass, and 1Password password manager was considered vulnerable and the user automatically prompted to enter credentials in a fake application …

Hope you like the news Password managers can be tricked into believing that malicious Android apps are legitimate. Stay Tuned For More Updates 🙂

Compsmag