These days you can’t be too safe with data phishing attacks, and now a developer has found that even Chrome for Android is susceptible. Cyber attackers don’t even need to find obscure technical flaws to launch these attacks. Turns out they only need a screen capture and some boss coding skills.
On his personal blog, a developer called James Fisher says he found a relatively simple exploit in Chrome on an Android device that takes advantage of the app’s address bar. When users scroll down from the top of a page, it’s possible for an attacker to display a fake address bar. The page can even be designed to prevent users from seeing the real address bar when they scroll up.
[Video of the exploit from James’ blog post]
Luckily, this attack doesn’t seem to have affected anyone yet, but Fisher wrote about it as a proof of concept for a possible phishing approach. What it does prove, though, is that this exploit could theoretically display fake address bars for a variety of browsers, and even include interactive elements.
The 9to5Google folks have figured out that locking your phone and then unlocking it would show you the real address bar again. It’s definitely not the best fix for this problem, but could save you from phisherman if you suspect some dodgy doings. We expect Google will do something about it soon enough, now that it knows about it. At least, we hope it will.