The vulnerability that could allow Android apps to steal passwords is called AutoSpill

Ankit Gangwal of the International Institute of Information Technology), during the conference Black Hat Europetogether with his students Shubham Singh and Abhijeet Srivastavadiscussed vulnerability “AutoSpill”which could cause Android users’ personal credentials to be leaked.

In particular, password managers for Android are based on the WebView software component, which allows you to embed web content in a mobile application. Therefore, it ensures an embedded browser within an app, allowing developers to view pages or internet content directly in the application interface.

So, when an app loads a login page via WebView, password managers may not recognize the correct location for entering login information previously saved by the user. In this sense, Gangwal specified: “Let’s say you’re trying to access your favorite music app on your mobile device and you use the option to “sign in via Google or Facebook.” The music app will open a Google or Facebook sign-in page inside via WebView. When “The password manager is called to autofill the credentials; ideally, it should autofill only on the Google or Facebook page that is loaded. But we found that the autofill operation could accidentally expose the credentials to the underlying app.”

Gangwal then added that The top ten password managers for Android were found to be vulnerable to AutoSpill. Having discovered the vulnerability, they therefore proceeded to contact all those responsible for the apps in question, but only those of 1Password they responded by ensuring a software update. The risk, however, is high: in fact, malicious applications could obtain user credentials, avoiding particular IT techniques.