Password Managers Can Be Tricked Into Believing That Malicious Android Apps Are Legitimate

A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios. From a report: The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps. What the research team found was that password managers, initially developed for desktop browsers, aren't as secure as their desktop versions. The problem comes from the fact that mobile password managers have a hard time associating a user's stored website credentials with a mobile application and then creating a link between that website and an official app.

[...] Researchers say they tested the way five Android password managers create internal maps (connections) between a locally installed app and legitimate internet sites and found that four of the five were vulnerable to abuse. Android versions of password managers from Keeper, Dashlane, LastPass, and 1Password were found to be vulnerable and have prompted the user to auto-fill credentials on fake apps during tests. Researchers found that Google's Smart Lock app did not fall for this fake package name trick, and the reason was because it used a system named Digital Asset Links to authenticate and connect apps to a particular online service.

This is a user flaw not a password manager flaw

[Wycliffe]

The user is the one who was tricked into installing the fake app. Personally, I don't think that apps and websites should be sharing passwords. If I download a new app, I expect to have to type in the password the first time I use it. But even requiring the user to type in the password doesn't fix the problem they are talking about which is when the user thinks it's the real app and willingly gives the app their password either from a password manager or manually.

Re:No mention of KeePass

It doesn't appear to me that this would be a problem for KeePass. The version of Keepass I'm using doesn't autofill fields, which while mildly annoying, means that it's a lot less likely to have applications doing things like this as you'd have to manually paste the information into the wrong app.

Re:durrrrrrr

[Oswald+McWeany]

This is why I just use the same password for everything. It's much easier to remember, and more secure since I don't have to write it down or store it anywhere.

Better idea than that... make up a formula something like: The third letter from the name of the website. (so for example Slashdot that would be "a"). Then take that letter's position in the alphabet (1). Then take the 5th letter and do the same. And then finish with some random string you use in common across all websites such as "passwud123##" to pad the length. The formula would give you:

a1h8passwud123##

Easy to remember, and if someone got a hold of one password they wouldn't be able to apply it directly to any other website. I use a formula for all of my password websites (but it's actually very different to the one above, I don't think anyone could ever reverse engineer my password to figure out my formula- the example above they could if they tried- best to use a formula that would only have meaning to you so it can't be reverse engineered but is quick for you to figure out)