Sign in / up

back to article Google to patch Chrome mobile hole after bank trojan hits 318k users

An Android Chrome bug that's already under attack - with criminals pushing banking trojans to more than 300,000 devices - won't get patched until the next release of the mobile browser. The flaw allows malware writers to quietly download Android app installation (.apk) files to devices without requiring approval. Users need …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Tom 64
    FAIL

    Google need to clean house.

    It doesn't help that google's own advertising platform frequently gets hijacked to perform these kinds of attack. Just today I tapped on a link in google now (yes google's own shit) to a website, which after a mere 10 seconds of allowing me to view the article, promptly redirected me via malvertising to a dodgy download on google's OWN store with flashing warnings about viruses. FFS.

    16 0 Reply
  2. William 3 Bronze badge

    They only gave Microsoft 7 days.

    Maybe they should focus on securing their own shit rather than checking other peoples for security issues, and then throwing a tantrum if it's not fixed in 7 days. Especially when someone points out a flaw in theirs they say "ah fuck it, we'll do it when we're ready".

    25 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: They only gave Microsoft 7 days.

      Right, I wonder why they didn't disclose the bug fully, given it's being actually exploited...

      5 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: They only gave Microsoft 7 days.

        It has been disclosed - "Downloaded files are broken into pieces and passed to the save function via blob() class"

        1 0 Reply
  3. sabroni Silver badge

    The root of the problem here..

    ..isn't the insecure browser, it's the stupid AdSense network that's pushing links to malware. It doesn't matter how many browser bugs Google fixes if it's going to keep distributing dodgy Ads.

    7 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: The root of the problem here..

      "isn't the insecure browser"

      Running Java on Linux doesn't help. Both are horribly insecure and security bug ridden...

      2 5 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: The root of the problem here..

        Err, what?

        0 0 Reply
  4. Tony Paulazzo

    Adverts pushing malware you say, I don't believe it - it's a dirty plot from those nasty adblocker people! /s

    7 0 Reply
  5. RyokuMas
    Angel

    Kharma...

    ... it's a bitch, ain't it?

    2 1 Reply
  6. Gio Ciampa

    This is why

    I tell the devs who whine about the lack of income from my blocking ads to get stuffed...

    ...if you're too lazy to host (and vet) your own... I don't want to know...

    4 0 Reply
  7. adam payne

    You make a big deal out of a security issue that Microsoft hasn't patch that is being exploited but yet when it happens to you it won't be patched until the next version of Chrome.

    Google = pot calling the kettle.

    3 0 Reply
  8. Anonymous Coward
    Anonymous Coward

    Mitigation

    "Users need to install the banking trojan apps and tweak settings to allow installation of apps from stores other than Google Play to be infected"

    That's the end of this "news”. Essentially this is nothing about malware or banking Trojans, its only about bring able to create files in a users download directory without their knowledge or permission. Everything else is just trying to tack something onto this story.

    2 0 Reply
  9. noddybollock

    Ever little helps ???

    0 0 Reply
  10. Anonymous Coward
    Anonymous Coward

    Oooh Mobiles

    Off topic but I'll chuck in...

    For the last week I've seen (poor/slow) brute force FTP access attempts at the FTP server, looks like a botnet as they hit in turn sequentially from different IP's but using same user/password lists, most of the IP's have been cellular networks. Either I've got on to a list of an existing mobile botnet or some new exploited handsets are hitting targets and guessing user/pass combinations from the domain name.

    One password tried was "derok010101" which gets some web hits but not specifically from mobiles.

    0 0 Reply
  11. Howard Hanek
    Happy

    Question

    Did Google hit to pay for their patch?

    0 0 Reply
  12. UncleZoot

    I' love it!

    Google outed Microslop over security vulnerabilities, then a week later gets gob smacked with their own security issues. Way to go Alphabet! Does Google have deep pockets for this screw-up?

    Not sure who I dislike more, Google or Fakebook.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like