Password managers can be tricked into believing that malicious Android apps are legitimate Password managers from Keeper, Dashlane, LastPass, and 1Password found to be vulnerable, study finds September 26, 2018 https://www.zdnet.com/article/passw...g-that-malicious-android-apps-are-legitimate/ Research: "Phishing Attacks on Modern Android" (PDF): http://www.s3.eurecom.fr/~yanick/publications/2018_ccs_phishing.pdf
Yes, Android is full of security holes. I think it's a dumb idea to shift important services to mobile phones.
Just as a note, when autofill is firstly activated to any new app it gives a small popup. This should mitigate actual risk to some extent, especially when the form is invisible. But I don't use autofill.