Paper Reading Phishing Attacks on Modern Android


Summary: Password managers in mobile devices are vulnerable to many new types of phishing attacks, e.g. auto-suggesting credentials associated with compromised websites, UI control, “hidden fields” attacks. A new secure-by-design API that avoids common errors, and the community efforts for secure implementation of autofill functionality is proposed.


Contributions: the first security analysis of mobile password managers, and three core technologies: a11y, Autofill framework, and OpenYOLO. Uncover vulnerabilities. Show Instant Apps’s problems. Demonstrate an end-to-end phishing attack. Proposed a new secure-by-design API.

We developed a three-step methodology to investigate the security of each password manager

I felt like this is a good paper.


The more frequently users will be asked to insert credentials on their mobile devices, the more attackers will find mobile phishing attacks rewarding.

The frameworks OpenYOLO etc. are used for bypassing the constraints between apps.

We argue that package names are the wrong abstraction for PMs to work with.

For example, nothing prevents anybody to create an app with package name com.example.evil: there is no relation between them.

"4.3 Vulnerable Mappings” is terribly written.

As the attacker controls every pixel of the screen, nothing prevents her from showing the user a browser-like view with a spoofed domain name and a green lock. Once again, this attack can be made indistinguishable from a legitimate scenario.

In fact, we have shown that password managers can be tricked into revealing users’ credentials, but these attacks require a malicious app (with an attacker-chosen package name) to be installed on the victim’s phone: Instant Apps can be used to do just that.

“Practical considerations” from attacker’s perspective.

Practical Value

What you can learn from this to make your research better?

How should a security paper look like.

API sequence diagram. Attack PoC.

Details and Problems From the presenters’ point of view, what questions might audience ask?

Why is adaption rate of DAL so low? Only querying arbitrate domain names might not be a good study target. People are lazy. PMs should nudge them.