Graduate School and Research Center in Digital Sciences

Phishing attacks on modern Android

Merlo, Alessio; Aonzo, Simone; Tavella, Giulio; Fratantonio, Yanick

CCS 2018, ACM Conference on Computer and Communications Security, 15-19 October 2018, Toronto, Canada

Modern versions of Android have introduced a number of features in the name of convenience. This paper shows how two of these features, mobile password managers and Instant Apps, can be abused to make phishing attacks that are significantly more practical than existing ones. We have studied the leading password managers for mobile and we uncovered a number of design issues that leave them open to attacks. For example, we show it is possible to trick password managers into auto-suggesting credentials associated with arbitrary attacker-chosen websites. We then show how an attacker can abuse the recently introduced Instant Apps technology to allow a remote attacker to gain full UI control and, by abusing password managers, to implement an end-to-end phishing attack requiring only few user's clicks. We also found that mobile password managers are vulnerable to "hidden fields" attacks, which makes these attacks even more practical and problematic. We conclude this paper by proposing a new secure-by-design API that avoids common errors and we show that the secure implementation of autofill functionality will require a community-wide effort, which this work hopes to inspire. 

Document Doi Bibtex

Title:Phishing attacks on modern Android
Keywords:Mobile Security, Phishing, Password Managers, Instant Apps
Department:Digital Security
Eurecom ref:5637
Copyright: © ACM, 2018. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in CCS 2018, ACM Conference on Computer and Communications Security, 15-19 October 2018, Toronto, Canada
Bibtex: @inproceedings{EURECOM+5637, doi = {}, year = {2018}, title = {{P}hishing attacks on modern {A}ndroid}, author = {{M}erlo, {A}lessio and {A}onzo, {S}imone and {T}avella, {G}iulio and {F}ratantonio, {Y}anick}, booktitle = {{CCS} 2018, {ACM} {C}onference on {C}omputer and {C}ommunications {S}ecurity, 15-19 {O}ctober 2018, {T}oronto, {C}anada}, address = {{T}oronto, {CANADA}}, month = {10}, url = {} }
See also: