A gang of cybercriminals is using a flaw in the Chrome for iOS web browser to bombard iPhone users with pop-up windows and fake ads that whisk the users to websites that try to steal login credentials and bilk them out of money.
About 500 million fake ads were pushed out to iPhones, almost all in the United States, during a six-day barrage in early April. The researchers at ad-verification firm Confiant who discovered the campaign fear another onslaught for the upcoming Easter weekend.
Google is aware of the problem, but until it fixes the flaw in Chrome for iOS, iPhone users should stick to Safari or another browser.
In case the malicious ads sound familiar, the same gang of criminals targeted Macs with pop-ups and fake ads over the Presidents' Day weekend in February, and before that over Thanksgiving weekend in 2018 -- hence Confiant's nickname for the group, "eGobbler."
This isn't the only Apple-centric malvertising group Confiant is tracking -- different groups hit Macs hard in January, and iPhones in the weeks before Thanksgiving. Apple users are prime targets for malicious ads, both on desktop and mobile devices, because of their perceived higher-than-average income and because there's less traditional malware targeting either macOS or iOS.
Most modern browsers, especially those on mobile platforms, "sandbox" the ads they run so that malicious code in an ad can't jump out and infect the rest of the browser, or the rest of the operating system. Modern browsers are also very good at blocking unwanted pop-up windows.
For reasons as yet undisclosed, Chrome for iOS fails to block pop-ups or sandbox ads in certain conditions. (Confiant will reveal how after Google fixes the problem.)
The Chrome for iOS browser is an odd hodgepodge of code. It's really a Chrome overlay on top of Apple's own WebKit browser code, because Apple won't allow any non-WebKit browsers on iOS. Yet Safari for iOS, which also uses WebKit, isn't vulnerable to these malicious ads, and neither are the Chrome browsers for Windows, Macs and Android.
"Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently," Confiant's Eliya Stein wrote in a blog post yesterday (April 16). "The security bug is still unpatched in Chrome."