Title:

App Password Stealing from Avast Password Manager

Report ID

SIK-2016-033

Summary:

• Vendor: AVAST Software
• Product: Avast Passwords
• Affected Version: 1.4.1
• Severity: Low
• Short summary:
  The Avast password manager offers a feature to automatically fill stored passwords into apps that request login information. Since the target app is only identified through the package name, an attacker can provide an app with suitably-crafted package name and gain access to the user’s credentials.

Details:

The Avast password manager offers a feature to automatically fill stored passwords into apps that request login information. This is done using a custom accessibility service. For determining which login data should be filled into which app, the password manager uses the package name of the target app. It, however, only performs a prefix check. If the user, for example, stores a password for Twitter, this password will be filled into all apps with a package name of “com.twitter.*”.

Attack scenario: An attacker can trick the user into installing a fake app that bears no optical similarity to Twitter, but to some other service X. The app has the package name “com.twitter.attackMe”. The user, who thinks that he logs into X, uses the password manager to fill in his credentials for X. Instead of the credentials for X, the password manager, however, fills in the Twitter credentials. This will fail the login to X (provided that the user has different credentials for Twitter and for X), but the user has no information that his Twitter credentials were stolen.

Since the fake app was provided by the attacker, it can simply be written in such a way that it sends the credentials to the server. The only requirement for the fake app is (aside from the suitably-crafted package) to contain two input fields, the first one of type “text” and the second one of type “password”.

This vulnerability allows an attacker to extract individual entries from the password database, effectively circumventing the security provided by the password manager. It is only limited in its effect, because it requires cooperation from the user, who must be tricked into actively unlocking his password manager. Using an attack similar to the one described above, this is, however, a realistic assumption.

Workaround

Disable automatic filling.

Suggested Mitigation

The password manager should check the full package name of the target application before filling in credentials. This ensures that, at least, the fake app cannot be installed in parallel to the actual target app for which the credentials shall be stolen.
It would even be better to check the certificate with which the target app is signed. Since Android enforces the same app signing key to be used for all updates of an app once it has been installed, it would be sufficient to retrieve the signing key of the target app once and store it alongside the credentials. If the credentials are about to be filled into an app, this app must be signed with the same key, or it is not legitimate.
 

Timeline

• 2016-11-21 Vulnerability Reported
• 2016-12-05 Vulnerability Fixed