Boffins Tricks Password Protection Using Imposter Apps
Guess what, your password manager on the mobile device needs more protection, as it can be tricked by imposter apps to take over the password. This latest finding comes from the University of Geno and EURECOM, who conducted some test on the Android Instant Apps, and found that it has a feature that can ask for, and store and receive credentials from password managers that are meant for other applications.
The idea is that Instant Apps, a feature intended to let the user try out portions of an Android app without fully downloading it by running remotely hosted code, does not get properly distinguished from fully-installed apps by either users or password managers.
Basically, the feature in Instant Apps is intended to allow the user to try out a part of an Android app without having to fully download it by running remotely hosted code. So this confusion that Android is not able to distinguish between partly-installed and fully-installed app, and neither the password manager.
According to the researchers, many popular Android password managers are weak and vulnerable to dubious apps. These tricky apps are often mistaken to be genuine since they carry perfect metadata entries.
The researchers explain how the Instant apps are totally controlled by the hackers, and it makes it possible for them to trick password managers with the help of auto-fill, a website chosen by the attacker. This doesn’t even need installation of any additional app.
This enables the attacker to bootstrap to facilitate phishing attacks by driving the user to the dubious website and key in the credentials: such website page may even have a phony Facebook type functionality.
The finds show how the attackers would bait the user to a phishing website, or even bring him with a ‘like’ button, that would then lure the user to ratify the clone instant app, which is connected to the attacker’s server.