Google Safe Browsing system has been implemented by the Google search engine for more than a decade now, designed to block known websites harboring malware or phishing attempts against visitors. It is very efficient, given that Google has the most advanced web crawlers that index the web, marking as websites with harmful contents with a nag screen, stopping the user from ever visiting the malicious websites in the process.
Unfortunately, browser makers such as Mozilla, Apple and even Google failed to check browser’s iOS and Android variants for Safe Browsing compatibility, which was broken for mobile browsers at least a year from July 2017 to the last Quarter of 2018. The shocking revelation was the result of the research conducted by Paypal in partnership with Arizona State University’s academic researchers. This means that the Firefox, Safari and Chrome/Chromium browsers for Android/iOS for more than a year inadvertently exposed users to some malicious sites, as the Google Safe Browsing was broken under the mobile browser variants.
The research team from Arizona State University and Paypal used an internal project in prototype form from 2017-2018 timeframe to detect the effectiveness of automation with securing Internet users. The project was dubbed PhishFarm, under the project, a controlled environment where the research team deliberately established 2,380 genuine-looking PayPal website and allowed a certain number of “test victims” visit these websites for their “busy workloads”.
The normal behavior for a Google Safe Browsing-aware browser to check Google if the website has no known malicious elements, however, this only works on desktop-based browsers not with their mobile counterparts. That means that mobile users are exposed to malicious websites that are actually blocked by Google Safe Browsing system during the above mentioned time frame.
With the rapid growth of web browsing through mobile devices, the propensity of users to use the default web browsers installed in their mobile devices greatly increases the risks of users encountering malicious executables and phishing websites. Microsoft’s SmartScreen, a competing service works on all variants of Microsoft Edge browser, both for the desktop operating systems and with Android.
“Following disclosure of our findings, anti-phishing entities are now better able to detect and mitigate several cloaking techniques (including those that target mobile users), and blacklisting has also become more consistent between desktop and mobile platforms— but work remains to be done by anti-phishing entities to ensure users are adequately protected,” added the research team.
In 2019, new versions of mobile Firefox, Safari and Chrome/Chromium has a working Google Safe Browsing system. The browser vendors were able to make the necessary adjustments on how to implement the safe browsing system within their products on the mobile platform. Unfortunately, the statistics of how many mobile users were bitten by a phishing page or received malware due to non-working safe browsing system from last year was not disclosed by any of the browser vendors.