Android password managers can be tricked into entering valid login credentials into phishing apps, a group of researchers has discovered.
They have also found that Instant Apps, a Google technology that allows users to “try” Android apps without the need to fully install them, can make phishing attacks more practical.
Android password manager Dashlane suggesting Facebook credentials to a fake malicious app
Simone Aonzo, Alessio Merlo, and Giulio Tavella from the University of Genoa and Yanick Fratantonio from EURECOM tested a number of Android password managers – 1Password, Dashlane, Keeper, LastPass, and Google Smart Lock – and found that all except that last one trust an app if it has the correct app package name.
Read more here