And using loads of sensitive permissions to pull it off, like accessibility to read the screen. It's not stealing the auth cookies from the app nor throwing exploits at Android to escape the sandbox.
Headline definitely makes it sound like it's a drive-by exploit, but no it's just the usual social engineering everyone is familiar with.
Doesn't it require jumping through a ton of hoops to install apks from unknown sources on modern Android? How many people are A) capable of doing this, and B) naive enough to actually do it?
That said, I don't use Chrome so I've never seen that incredibly shady-looking real update notification they showed in the article. If Google has indeed trained users to expect and accept something like that, then shame on Google. I can't blame users for thinking the fake one is legit. It looks very similar (and it seems like it would be trivial to make it look 100% identical). But still, how does the apk actually get installed?
When I installed fdroid from their website a month or two back it was like 2 or 3 clicks. Then whenever I want to install anything from there it's an extra click or two over what it would be from Play.
I've seen people click through way more complicated processes than this without even knowing they did it. Modern computing has taught people to just keep hitting whatever the approval text is (yes windows, I really do want to copy all of these god damn files. Yes, really, I still do! Yep, again, ALL of them!)
Most of the people I know that aren't tech savvy are at least smart enough to be aware of that fact, so they would already hesitate at 2. The real dangerous people are the confident ignoramuses.
Researchers at fraud risk company ThreatFabric found Brokewell after investigating a fake Chrome update page that dropped a payload, a common method for tricking unsuspecting users into installing malware.
So just a classic fake update button
To protect yourself from Android malware infections, avoid downloading apps or app updates from outside Google Play and ensure that Play Protect is active on your device at all times.
Fine advice for someone who has no idea how their phone works, I suppose
Remember that the bar for entry for a lot of these things is going to be a trip hazard for most Lemmings.
I actually explained 419 scams to someone last week when they got a reasonably well crafted one. There are a lot of people who believe in Nigerian Princes.
The 90's mentality of "Everyone on an Internet is a predator out to rob you or worse" left a mark on me-
I always use a fake name and innocuous, random profile pic if possible.
These daus you're still screwed if someone's that determined, but at least screw the corporations like this.
I never liked the normalization of sharing real names online. I always received weird looks for not doing this. The furthest I could do was using an initial.
Seems a bit clickbaity to me. It's a flaw in Windows/cmd.exe, not Rust. Rust is just called out because it tries to emulated proper argument passing on Windows (and didn't get it perfectly right). All languages are affected by this but most of them just throw their hands in the air and say "you're on your own":
Erlang (documentation update)
Go (documentation update)
Haskell (patch available)
Java (won’t fix)
Node.js (patch will be available)
PHP (patch will be available)
Python (documentation update)
Ruby (documentation update)
It's also extremely unlikely that you'd be running a bat script with untrusted arguments on Windows.
Questionable: should've been replaced with an API call that shows user a pop-up like "do you want to change the default browser to $browser_name?". Rn it's just breaking stuff for the sake of keeping internet chromesplorer.
bleepingcomputer.com
Hot