Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation.
In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection.
Password managers on Android use the platform's WebView framework to automatically type in a user's account credentials when an app loads the login page to services like Apple, Facebook, Microsoft, or Google.
If JavaScript injections are enabled, the researchers say that all password managers on Android are vulnerable to the AutoSpill attack.
Specifically, the AutoSpill issue stems from Android's failure to enforce or to clearly define the responsibility for the secure handling of the auto-filled data, which can result in leaking it or being captured by the host app.
In an attack scenario, a rogue app serving a login form could capture the user's credentials without leaving any indication of the compromise.
The researchers tested AutoSpill against a selection of password managers on Android 10, 11, and 12 and found that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are susceptible to attacks due to using Android's autofill framework.
Through a malicious app installed on the user's device, a hacker could lead a user to unintentionally autofill their credentials.
The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android's WebView.
On the Android platform, Keeper prompts the user when attempting to autofill credentials into an Android application or website.
On June 29, we informed the researcher of this information and also recommended that he submit his report to Google since it is specifically related to the Android platform.
Generally, a malicious Android application would first need to be submitted to Google Play Store, reviewed by Google and subsequently, approved for publication to the Google Play Store.
Keeper always recommends that individuals be cautious and vigilant about the applications they install and should only install published Android applications from trusted app stores such as the Google Play Store.
WebView is used in a variety of ways by Android developers, which include hosting login pages for their own services in their apps.
We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement.
Roid provides password managers with the required context to distinguish between native views and WebViews, as well as whether the WebView being loaded is not related to the hosting app.
When using the Google Password Manager for autofill on Android, users are warned if they are entering a password for a domain Google determines may not be owned by the hosting app, and the password is only filled in on the proper field.
Google Play adds security audit badges for Android VPN apps.
Avast confirms it tagged Google app as malware on Android phones.
FjordPhantom Android malware uses virtualization to evade detection.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sat, 09 Dec 2023 16:20:07 +0000