Android smartphone users have been put on alert by security experts about a risk affecting devices running the Google mobile OS.
Android is one of the most used pieces of software in the world, with over two billion devices using the Google mobile OS each and every month.
These numbers are only going to be added more with the upcoming release of high-profile Android devices like the Pixel 3, Pixel 3 XL and OnePlus 6T.
And ahead of these major releases Android fans have been put on alert about a security alert they need to know about.
A new academic study has uncovered a password security risk that affects Android fans.
Specifically, the study found Android-based password managers can have trouble distinguishing legitimate and fake applications.
These third-party password managers that were initially developed for desktop browsers are not as secure on Android, ZDNet reported.
The research found malicious apps can trick some mobile password managers into associating it with a legitimate website.
Android warning – Password risk affecting Google smartphones discovering
This can lead to the fake app collecting users’ login credentials which can be used for nefarious means at a later date.
Researchers say they tested five Android password managers and four were vulnerable to abuse.
They added that they contacted the companies behind the tested password managers to inform them of their findings.
Yanick Fratantonio, one of the researchers behind the study, said: “They were very professional in handling the matter.
“Some of them should have their own blog posts about these findings.”
Android warning – Smartphone fans warned about password manager risk
Those behind the study outlined how Android users can be tricked into handing over logins and usernames when they open a fake app.
A password manager, tricked by a fake app’s package name, could suggest login credentials for a legitimate service.
Users may agree to autofilling these fields, which would in turn allow the fake app to collect sensitive user details.
Researchers said that Google’s Smart Lock app did not fall for the fake package name trick.
Android warning – Password managers were tricked into confusing fake apps with real ones
But one of the password managers that the study did name as being vulnerable to abuse was Keeper.
In a blog post they outlined how they have fixed the issue and thanked the researchers for raising the issue.
Keeper said: “The report states that a malicious application on the app store could theoretically be downloaded by a user, and Keeper does not stop the user from filling a password on the malicious application.
“This is because Keeper uses information from Google Play to suggest records that the user may want to fill.
“To be clear, at this time no Keeper users have reported a phishing attack or known to have installed malicious applications.”
They added: “Keeper only presents the option to fill a login or password for an application from Google’s store listing references that match a specific URL.
“After presenting the user with the available matches, the user can elect to fill the password.
“Keeper never auto-fills login and password credentials into any application without the user’s consent.”
Android warning – Four password managers were found vulnerable to abuse
Discussing the fix, Keeper said: “We have published this change in Keeper for Android version 12.1.1 which was released in July 2018 as part of our monthly application update, along with other planned improvements.
“As always, we recommend checking the authenticity of the applications you are installing.
“If you suspect an application is malicious or fake, please report it to Google at this link.”
Another password manager that researchers said was affected was LastPass.
Android is one of the most used pieces of software in the world
Speaking to ZDNet, a spokesperson said: “This particular vulnerability in Android’s app ecosystem was brought to our attention by the University of Genoa, Italy, and EURECOM researchers through our Bug Bounty Program.
“While continued efforts from the web and Android communities will also be required, we have already implemented changes to our LastPass Android app to mitigate and minimise the risk of the potential attack detailed in this report.
“Our app now requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimise the risk of any “fake apps” being filled/accepted.
“At this time, we have no indication or reason to believe that any sensitive LastPass user data has been compromised.
“As always, delivering a secure service for our users remains our top priority and we will continue to work with the security community to respond and fix potential vulnerability reports as quickly as possible.”