Android fans are being warned about a sneaky ploy cyber criminals could use to fool those using the Google Chrome browser.
Android is one of the most used pieces of software in the world, with over two billions devices running the Google mobile OS each and every month.
One of the search engine giant’s other household names, Google Chrome, is also used by a huge amount of people.
Google Chrome is the world’s most popular browser, with recent NetMarketShare stats giving it a staggering 67.88 per cent chunk of the browser marketplace.
And users of both pieces of Google software need to be aware of a sneaky ploy that cybercriminals could use.
Google Chrome for Android has a feature which hides the URL bar after a page has been loaded.
This helps expand the amount of screen space available and shows more content at once from the web page in question.
However, in a blog post developer James Fisher pointed out how this can be exploited for nefarious means.
As the dev showed with his blog post, this URL hiding feature means content on Chrome for Android can be made to appear legitimate when it’s fake.
Fisher demonstrated this by making his blog post appear as if it were hosted on the website of banking giant HSBC.
Not only does the demo show a fake URL but it even shows a green HTTPS secure padlock icon alongside the web address.
Fisher explained that this could be used in a phishing attack to make a page seem authentic when it is in fact a fake.
He said: “Normally, when the user scrolls up, Chrome will redisplay the true URL bar.
“But we can trick Chrome so that it never redisplays the true URL bar. Once Chrome hides the URL bar, we move the entire page content into a ‘scroll jail'.
“Then the user thinks they're scrolling up in the page, but in fact they're only scrolling up in the scroll jail.”
Fisher added: “Like a dream in Inception, the user believes they're in their own browser, but they're actually in a browser within their browser.”
The developer also said: “I can imagine this technique fooling users who are less aware of it, and who are less technically literate.
“The only time the user has the opportunity to verify the true URL is on page load, before scrolling the page. After that, there’s not much escape.”
• Click here to read the latest tech news from Express.co.uk
Written by David Minister
Last Updated on