Android Instant Apps have become quite popular over the past few years enabling the user to gain full control of travel, business and sleeping habits. Moreover, Android password managers simplified usage by storing credentials so the user does not have to remember them each time when using the Instant App.
Security Researchers have now revealed that password managers are not as safe as they are supposed to be: using a spoofed Instant App, attackers can easily trick the managers as they cannot differentiate between authentic and fake Instant Apps. When a user visits this fake website, the password manager is asked for login credentials. Presenting itself as an authentic instant app, the website is not recognized by the manager as a spoofed Instant App. Eventually, the credentials are given to the attacker without the user even noticing anything suspicious. Neither does a malicious app need to be installed nor is the user asked to insert any credentials.
Read more about this danger here.