This Google Chrome Android Exploit Leverages Fake Address Bar For Phishing Attacks

In the web browser world, Google Chrome is tops and is offered on multiple platforms including Windows 10, macOS, Linus, iOS and Android. however, web developer named Jim Fisher has found an exploit that nefarious developers can use to trick Chrome on Android users into thinking they are on a legitimate website.

Fisher shows on his blog how a website can replace the Chrome for Android address bar and tabs UI using a few tricks. All Chrome for Android users know that when you scroll down a page using the browser, the top of the UI with your address bar and tabs are hidden from view. Fisher found that the scrolling of the page could be "jailed" so when the user scrolls back up the page, the Android UI doesn't show again.

That means when the user tries to scroll back up, the page can display an image of a fake address bar at the top of the screen where the Android UI is usually located along with a different URL. That URL can include the lock icon used to tell the user if a page is secure. The way the exploit functions the user can't easily leave the page since there is no access to the Chrome for Android address bar. With a fake image of an address bar in its place, the user has no back arrows to click on.

There is an easy way for users to tell if the address bar has been tampered with, all users need to do is lock and unlock their device. The lock/unlock action forces Chrome for Android to show its real address bar and the fake address bar will be displayed below it. Again, we should stress that this is just a proof of concept for now, but there's nothing stopping third-parties from using such vectors to target Android users (that is until Google can issue an update to prevent such browser takeovers).