Malvertising campaign abuses Chrome for iOS bug to target iPhone users

Bug affects only Chrome for iOS, not Safari and not any other Chrome version.
Written by Catalin Cimpanu, Contributor
Image: Oscar Gutiérrez/CNET

A massive malvertising campaign is exploiting a vulnerability in the Chrome for iOS mobile browser to redirect iPhone and iPad users to adware, scams, and other malicious sites, ZDNet has learned today from Confiant, a cyber-security firm specialized in tracking malvertising campaigns.

The company said it had reported the bug to Google, whose engineers are now investigating the issue.

The bug allows malicious code hidden in online ads to break out of sandboxed iframes (a technology often used to load ad slots) and redirect the user to another site, or show an intrusive popup on top of a legitimate site.

The bug only impacts Chrome for iOS, and no other Chrome version, Eliya Stein, Confiant Senior Security Engineer, told ZDNet today in an email.

Chrome for iOS isn't a Chromium-based browser but runs on WebKit, which is Safari's internal browser rendering engine. However, Stein told us that Safari is not impacted either, meaning this is an issue with Google's Chrome for iOS WebKit implementation only.

eGobbler campaign targets US-based iOS users

According to Stein, this particular malvertising campaign is the work of a known threat actor named eGobbler, first seen during the Thanksgiving holiday last year.

"We have seen eGobbler flare-ups around major holidays," Stein told ZDNet.

Its last flare-up was in February during the Presidents' Day holiday weekend, when eGobbler hijacked as many as 800 million ads over a three-day period to redirect users to tech support scams and phishing sites.

In a report published today and shared with ZDNet, Stein said that eGobbler's latest wave of malicious ads --the ones that abused the Chrome for iOS bug-- had around 500 million impressions during which eGobbler attempted to redirect users from legitimate sites to malicious sites.

Most of these malicious ads were seen between April 6 and April 10 and hit iOS users based in the US, which are eGobbler's typical and historical targets.

eGobbler April campaign
Image: Confiant

Confiant said it saw eight separate smaller campaigns during which the eGobbler malvertiser placed malicious ads on behalf of 30 fake companies.

With the Easter holiday coming this weekend, Confiant now warns of impending attacks, as advertising companies will have fewer staffers on hand to filter and ban malicious ads from their networks when eGobbler decides to get a new malvertising campaign rolling.

Stein also described eGobbler as one of today's top three operators of malvertising campaigns, with the other two being VeryMal and ScamClub --both of which had similarly and historically targeted US-based iOS users.

How to secure your iPhone from hackers, snoopers, and thieves (iOS 12.1)

Related malware and cybercrime coverage:

Editorial standards