About 500 million fake ads were pushed out to iPhones, almost all in the United States, during a six-day barrage in early April.The researchers at ad-verification firm Confiant who discovered the campaign fear another onslaught for the upcoming Easter weekend.
Apple users are prime targets for malicious ads, both on desktop and mobile devices, because of their perceived higher-than-average income and because there’s less traditional malware targeting either macOS or iOS.
In case the malicious ads sound familiar, the same gang of criminals targeted Macs with pop-ups and fake ads over the Presidents’ Day weekend in February, and before that over Thanksgiving weekend in 2018 — hence Confiant’s nickname for the group, “eGobbler.”
Most modern browsers, especially those on mobile platforms, “sandbox” the ads they run so that malicious code in an ad can’t jump out and infect the rest of the browser, or the rest of the operating system. Modern browsers are also very good at blocking unwanted pop-up windows.For reasons as yet undisclosed, Chrome for iOS fails to block pop-ups or sandbox ads in certain conditions.
The Chrome for iOS browser is an odd hodgepodge of code. It’s really a Chrome overlay on top of Apple’s own WebKit browser code, because Apple won’t allow any non-WebKit browsers on iOS. Yet Safari for iOS, which also uses WebKit, isn’t vulnerable to these malicious ads, and neither are the Chrome browsers for Windows, Macs and Android.
“Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently,” Confiant’s Eliya Stein wrote in a blog post yesterday (April 16). “The security bug is still unpatched in Chrome.
Google is aware of the problem, but until it fixes the flaw in Chrome for iOS, iPhone users should stick to Safari or another browser. Confiant will reveal how after Google fixes the problem.