If you own an iOS device and use the Chrome browser, there is a chance during the last week that you’ve encountered some strange-looking advertising pop-ups.
According to security company Confiant, which took a closer look at these campaigns, a typical message might look something like this:
There are no rewards, of course, because these pop-up ads are run by a cybercrime group and exist to generate revenue for the crooks – you don’t get to share the spoils.
But the bigger question that bugged Confiant’s researchers when they analysed the pop-ups was how they were bypassing Chrome’s iOS ad-blocking protection.
The volume of campaigns was massive – 500 million pop-ups since 6 April 2019, apparently – featuring 30 adverts connected to a cybercrime group called eGobbler.
Aiming such a large volume of ads at the users of one platform and browser, iOS Chrome, also looked a little unusual.
Sure enough, Confiant discovered the campaigns had found a way to beat Chrome’s pop-up blocker by exploiting a previously unknown and unpatched security vulnerability.
Google was told of the issue last week, which Confiant hasn’t yet explained in detail because it remains unpatched:
We will be offering an analysis of the payload and POC [proof-of-concept] exploit for this bug in a future post given that this campaign is still active and the security bug is still unpatched in Chrome as of this blog post.
Dodging the bullet
The ads are not easy to avoid because they trigger on legitimate US and European websites, giving the ads an apparent legitimacy.
Each campaign lasts for 24 to 48 hours:
In attempt to fly under the radar, eGobbler attempts to smuggle their payloads in popular client-side JavaScript libraries such as GreenSock.
Publishers aren’t choosing to serve these ads – they’re bogus, unwanted and unexpected adverts that winkle their way into the patchwork of ad systems upon which the industry is based.
By the time publishers work out what’s going on – that could take hours, days or even longer – the crooks have moved on to a new campaign with different ads linking to new domains.
What to do?
One giveaway of eGobbler’s pop-up ads is that they often use a .world
Top-Level Domain (TLD) as a landing page, so be cautious of those domains if you don’t usually visit .world
sites.
Without more detail on the vulnerability, it’s hard to assess what sort of wider threat it might pose or whether it’s mostly about nuisance and inconvenience.
However, until this popup bypass is patched in Chrome, you could just stick to Safari, Apple’s own built-in iOS browser.
Anonymous
Ohh, I got the same in Safari on iOS some weeks ago… I moved to Brave. Now my life is a bit better ;)
Ken Sims
A post on Threatpost confirms what Anonymous said about Safari. Threatpost said “Meanwhile, at least one other research firm said that the attack is effective against Apple Safari users as well – opening up a much larger threat surface, given that most iOS users make use of Apple’s default browser for mobile web surfing.”
Personally I don’t do web browsing on my iPhone and I keep Safari disabled so that it can’t be launched by other apps.
Anonymous
I have gotten these on Safari. Often on news articles I wanted to read. So it has happened with Safari too.
Nobody_Holme
Read this post in a Firefox for iPhone tab.
*laughs in Mozilla*
Paul Ducklin
Well, by edict of Apple, all browsers on iOS use the core Apple WebKit rendering system (WebCore and javaScriptCore) – even Firefox and Chromium, which use their own rendering engines on other platforms, including on macOS. So the various browsers are more similar than different on Apple’s mobile devices…