If you’re one of the billions of users of Google Chrome, then two separate warnings have just been issued that you should take seriously...
New warning issued for billions of Chrome users
The first of these warnings impacts Chrome’s desktop users—on Windows and Mac. Google has just confirmed a security update that includes at least three high-severity fixes for vulnerabilities of the kind that have been exploited in the past.
Two of the three vulnerabilities addressed in stable channel 124.0.6367.60/.61 relate to Chrome’s JavaScript and WebAssembley engine, which might enable a “remote attacker to potentially exploit object corruption via a crafted HTML page.” Again, no suggestion yet of any exploits in the wild, but now this is public that could change.
The other fix is for a use after free issue, which means an attacker might be able to use latent pointers to route through to memory after it’s freed up, with the risk that the platform or device might be destabilized, opening up other vulnerabilities.
Google does not openly publish details of security issues at this early stage “until a majority of users are updated with a fix.” Even then, details might be withheld if the rogue software is widely deployed across other systems.
The takeaway for users is the usual update now—or as soon as you can. Despite details being withheld, the risk once vulnerabilities are confirmed—even with scant detail, is that they might be exploited, taking advantage of the fact that many users are remiss in how quickly they update their software.
The second warning is very different and impacts Android users. Another rogue Chrome lookalike has been caught in the wild. The trojan “masquerading as Google Chrome... takes advantage of the popularity and trust associated with Chrome to trick users into downloading and installing it.” The team at G Data say that the software is being promoted through email and messaging platforms.
This isn’t available on the official Play Store—users will be directed to other sites or downloads. We have already seen instances this year of Chrome’s likeness being used to push malicious apps. This example “mimics the icon of Chrome, making it almost indistinguishable from the real app, save for a black contour stroke in the logo.”
New malware tricks users into granting permissions
The malware—dubbed Mamont—is designed to steal from users by tricking them into providing contact and credit card details on the premise that they’ve been awarded a cash prize that needs to be collected.
This particular campaign appears to target users in Russia, but the warning applies to all users. Do not install apps from random third-party stores, do not grant permissions to apps such as SMS or phone dialers unless it’s logically required by the app and the app itself is from a very trusted source.
Google’s Play Protect should keep you safe from such copycats, even if they have been installed from outside its own Play Store. You need to ensure it’s enabled. But even so, this isn’t something that can be relied on instead of taking sensible measures to keep your device and data safe from malicious actors.
Here are the five golden rules—you should follow them:
- Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load.
- Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
- Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.
