Phishing attacks on mobile devices historically have relied on sending links via SMS, malicious apps, normal email techniques, or some combination thereof. Now, researchers have developed some new techniques for targeting Android users that take advantage of some quirks in the way mobile password managers map apps to domains, as well as the instant app feature on Android, to steal users’ credentials without their knowledge.
By gaming the way that some password managers connect a mobile app back to the domain with it’s supposed to be associated, the researchers can trick the password managers into trusting a counterfeit app. The password managers will then suggest the user’s stored credentials that are associated with the legitimate app, and if the user clicks to fill in those credentials, the username and password are sent to the attacker-controlled app. The researchers looked at five mobile password managers, and found issues with LastPass, Keeper, and Dashlane, that allowed their technique to work.
“At the root of the problems is the need to bridge the mobile world with the web world: given an app with a login form, how can a password manager know whether this app is the legitimate Facebook app (and it is thus entitled to access Facebook credentials) or whether this is a malicious app attempting to appear as the legitimate one? How is it possible to know which app is linked to which domain name?” the new paper, Phishing Attacks on Modern Android, says.
“The key design issue is that all these three mechanisms use the app package name as the main abstraction to identify an app. Password managers thus need to somehow map package names to associated websites.”
The issues don’t lie in the Android operating system itself, and the researchers shared their findings with the developers of the various password managers, who have implemented fixes, or are in the process of doing so. Here’s how the researchers describe the issue with LastPass:
“Given a package name, e.g., aaa.bbb.ccc, LastPass splits it in components separated by the dots (e.g., aaa, bbb, and ccc), and it builds a domain name pattern by using the first two in reversed order (e.g., bbb.aaa). LastPass will then suggest to the user all the credentials associated with domain names with a shared suffix. For example, an app with package name com.facebook.evil will trigger an auto-suggestion for facebook.com.,” the research team said.
To take advantage of the way the password managers handle this process, the researchers found they could use an instant app, a relatively new feature in Android that allows users to try apps without installing them on their devices. The password managers don’t check whether a target app is an instant app, so they will automatically suggest credentials for those, as well.
“The implementation of the malicious app is trivial, but doing an actual attack requires user interaction."
“The execution of an Instant App is bootstrapped once the user visits a developer-specified link associated to it: the user is asked whether she wants to start the Instant App and, one click after, the Instant App is running on the user's device. Instant apps have many constraints, mainly with regard to permissions. However, they can control every pixel on the device UI: this is enough to mount phishing attacks,” the researchers said.
The attacks require some user interaction, as most phishing attacks do, but the researchers said their techniques demonstrate that phishing on Android devices is more feasible than people may have thought.
“The implementation of the malicious app is trivial, but doing an actual attack requires user interaction, which may be tricky depending on the user. Previous research has shown that once the user is ‘fooled’, stealing some clicks is not a problem,” Yanick Fratantonio, an assistant professor at EURECOM in France and one of the authors of the paper, said by email.
“I think that this work is more about showing that phishing attacks on modern Android are more practical than previously thought.”
The best way to address the problems the research team found is to implement Digital Asset Links, Fratantonio said. DAL allow developers or site owners to declare associations with one another, so a site owner can make a verifiable statement that a given app is associated with her site.
“This is going to help the developers of password managers. In fact, the devs of PMs told us that the fix they deployed / they are deploying will likely consist on relying on DAL and, when DAL are not available, they will display a prominent warning to the user. If the community pushes for DAL adoption, we'll have a technical solution to fix this issue,” Fratantonio said.