Yes, a fake Chrome update is out there circulating, but Google released a real one this week as well, with nine patches that earned combined bug bounties of $14,000.
The malware-delivering “update” is for Android, but the latest stable channel has been legitimately updated to 50.0.2661.94 for Windows, Mac and Linux. Four of the flaws are considered high-severity.
Though Google didn’t release all the details of the bugs (and won’t, until the majority of users have updated), it did list the topline information: The high-severity flaws were: Out-of-bounds write in Blink; memory corruption in cross-process frames; use-after-free in extensions; and use-after-free in Blink’s V8 bindings. These all earned $3,000 each for external researchers.
Meanwhile, medium-severity issues include address bar spoofing and an information leak in V8—these earned $1,000 each. In total, five researchers split the $14,000.
Google also fixed an additional three security bugs using internal resources (CVE-2016-1666) that included “various fixes from internal audits, fuzzing and other initiatives.”
On the same day that the desktop patches were released, news broke that the research team at technology company Zscaler uncovered what purported to be a mobile Chrome update. What the .APK actually is, however, is a new Android Infostealer malware which is capable of harvesting call logs, SMS data, browser history and banking information and sending them to a remote command and control server. It also presents bogus payment pages which ask for credit card information. If this is filled in, the Infostealer sends the card details to a Russian phone number.
The firm said the malware also has the ability to go unseen by checking for well-known installed anti-virus applications such as Kaspersky, ESET and Avast and terminating them.
So how to tell the malicious thing from the real thing? Common sense. Real updates should only be downloaded from the vendor or provider’s website.
“It's important to note that the malware does not rely on any exploits or vulnerabilities to function—it merely relies on scare tactics, almost certainly delivered by compromised advertising networks and websites,” said Tod Beardsley, security research manager at Rapid7, via email. “The user is tricked into downloading an update for the stock Chrome Browser not from the Play store, and once downloaded, the APK asks for administrative access. If successful, the malware can perform any action on behalf of the user.
Photo © Alexander Supertramp/Shutterstock.com