In this seminar, I will present two novel and practical phishing attacks on Android that exploit some convenience features.
In the first attack, I will abuse features unique to Android, namely the Autofill Framework and Instant Apps, to show how an attacker can trick password managers into autofilling credentials for malicious websites.
In the second attack, I demonstrate a state inference-based phishing attack that uses the inotify APIs, in this case a feature of the Linux kernel on which Android is based, to monitor file system events and detect when the victim launches a target application.
Several vulnerabilities and their fixes were reported to both Google and major password manager developers, but even now these issues have not been fully resolved, proving once again that while secure solutions exist in theory, they are difficult to implement in practice.
