Chrome flaw on iOS leads to 500 million unwanted pop-up ads
If you own an iOS device and use the Chrome browser, there is a chance during the last week that you’ve encountered some strange-looking advertising pop-ups.
According to security company Confiant, which took a closer look at these campaigns, a typical message might look something like this:
There are no rewards, of course, because these pop-up ads are run by a cybercrime group and exist to generate revenue for the crooks – you don’t get to share the spoils.
But the bigger question that bugged Confiant’s researchers when they analysed the pop-ups was how they were bypassing Chrome’s iOS ad-blocking protection.
The volume of campaigns was massive 500 million pop-ups since 6 April 2019, apparently featuring 30 adverts connected to a cybercrime group called eGobbler.
Aiming such a large volume of ads at the users of one platform and browser, iOS Chrome, also looked a little unusual.
Sure enough, Confiant discovered the campaigns had found a way to beat Chrome’s pop-up blocker by exploiting a previously unknown and unpatched security vulnerability.
Google was told of the issue last week, which Confiant hasn’t yet explained in detail because it remains unpatched:
We will be offering an analysis of the payload and POC [proof-of-concept] exploit for this bug in a future post given that this campaign is still active and the security bug is still unpatched in Chrome as of this blog post.