Modern versions of Android have introduced a number of features in the name of convenience. This paper shows how two of these features, mobile password managers and Instant Apps, can be abused to make phishing attacks that are significantly more practical than existing ones. We have studied the leading password managers for mobile and we uncovered a number of design issues that leave them open to attacks. For example, we show it is possible to trick password managers into auto-suggesting credentials associated with arbitrary attacker-chosen websites. We then show how an attacker can abuse the recently introduced Instant Apps technology to allow a remote attacker to gain full UI control and, by abusing password managers, to implement an end-to-end phishing attack requiring only few user's clicks. We also found that mobile password managers are vulnerable to "hidden fields" attacks, which makes these attacks even more practical and problematic. We conclude this paper by proposing a new secure-by-design API that avoids common errors and we show that the secure implementation of autofill functionality will require a community-wide effort, which this work hopes to inspire.
Phishing attacks on modern Android
CCS 2018, ACM Conference on Computer and Communications Security, 15-19 October 2018, Toronto, Canada
Type:
Conference
City:
Toronto
Date:
2018-10-15
Department:
Digital Security
Eurecom Ref:
5637
Copyright:
© ACM, 2018. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in CCS 2018, ACM Conference on Computer and Communications Security, 15-19 October 2018, Toronto, Canada http://dx.doi.org/10.1145/3243734.3243778
See also:
PERMALINK : https://www.eurecom.fr/publication/5637
