"Security Alert: Android Password Managers Vulnerable to AutoSpill Attack"
Originally Published 2 years ago — by BleepingComputer
Researchers have discovered a new attack called AutoSpill that can steal account credentials from Android password managers during the autofill process. The attack exploits weaknesses in Android's autofill framework, allowing rogue apps to capture auto-filled credentials without detection. Most password managers on Android are vulnerable to AutoSpill, even without JavaScript injection. The researchers have disclosed their findings to impacted software vendors and Android's security team, but no details about fixing plans have been shared yet. Some password management providers, such as 1Password, LastPass, and Keeper, have acknowledged the issue and are working on fixes. Google recommends that third-party password managers implement best practices to distinguish between native views and WebViews and warns users when entering passwords for domains not owned by the hosting app.