Vulnerable Android password managers make phishing attacks easier


Android password managers can be tricked into entering valid login credentials into phishing apps, a group of researchers has discovered.

They have also found that Instant Apps, a Google technology that allows users to “try” Android apps without the need to fully install them, can make phishing attacks more practical.

vulnerable Android password managers

Android password manager Dashlane suggesting Facebook credentials to a fake malicious app

The research

Simone Aonzo, Alessio Merlo, and Giulio Tavella from the University of Genoa and Yanick Fratantonio from EURECOM tested a number of Android password managers – 1Password, Dashlane, Keeper, LastPass, and Google Smart Lock – and found that all except that last one trust an app if it has the correct app package name.

Read more here