UPDATE

About a half a billion Apple iOS users (and counting) have been hit by session-hijacking cybercriminals bent on serving up malware. They’re exploiting an unpatched flaw in the Chrome for iOS browser, to bypass sandboxing and hijack user sessions, targeting iPhone and iPad users.

The attacks are the work of the eGobbler gang, researchers said, which has a track record of mounting large-scale malvertising attacks ahead of major holiday weekends. Easter is coming up, and the crooks are banking on consumers spending a lot more time than usual browsing the web on their phones.

Session hijacking occurs when a user is browsing a web page and is suddenly redirected to another site or landing page, or when a pop-up appears that one can’t exit out of. The pages look like ads from well-known brands; but in reality, if a user clicks on one of them, a payload is deployed.

In this case, “the campaign…is currently still active under ‘.site’ TLD landing pages,” said Eliya Stein at Confiant, in an analysis this week. “With half a billion user sessions impacted, this is among the top three massive malvertising campaigns that we have seen in the last 18 months.”

The offensive is mainly targeting U.S. users, though some European activity has been observed.

Meanwhile, at least one other research firm said that the attack is effective against Apple Safari users as well – opening up a much larger threat surface, given that most iOS users make use of Apple’s default browser for mobile web surfing.

Unpatched Chrome Bug

The campaign has been able to gain such reach over the course of just a few days (it’s only been active since last week), because it’s making use of an unpatched bug in Google Chrome for iOS, according to the analysis.

Stein said that the campaign surprised Confiant researchers, because it uses pop-ups rather than redirects. Native browser ad- and pop-up blockers are typically pretty effective in preventing these kinds of attacks, so pop-ups are rarely seen as a primary hijack mechanism in malvertising.

“We tested the payload across over two dozen devices, both physical and virtual,” Stein said. “The malicious code itself has hard-coded logic that targets iOS, so we removed that condition in order to see the results of the full execution on all of the devices that we tested…Right away we were surprised to find that the payload’s main session hijacking mechanism was pop-up based, and furthermore, Chrome on iOS was an outlier in that the built-in pop-up blocker failed consistently.”

In looking at why the blocker was failing, they discovered that in Chrome for iOS, the pop-ups are not preventable by standard ad sandboxing attributes. These attributes are essentially rules that can be applied to an iFrame in order to restrict the actions and APIs available to the content from within that iFrame.

“These restrictions can include directives like disallowing JavaScript or blocking top level navigation unless prompted by user action,” Stein explained. “Sandboxing tends to have a pretty substantial impact as far as malicious ad mitigation is concerned.”

In testing the eGobbler payload against Google’s standard set of sandboxing attributes, the team discovered that the eGobbler exploit successfully circumvents many of them, including the rule for allowing pop-ups only as a result of direct user interaction. That means that a pop-up can appear randomly, on a drive-by basis, without being blocked.

“The fact that this exploit is able to bypass that need for user interaction should be impossible according to the same-origin policy as it pertains to cross-origin iFrames,” Stein said, referring to the common web architectural policy of preventing a script on one page from obtaining access to sensitive data on another web page. “Furthermore, this completely circumvents the browser’s anti-redirect functionality, as the attacker no longer needs to even spawn a redirect in order to hijack the user session.”

This bug is therefore at the root of why the attack has managed to be so virulent in such a short amount of time, he said.

“Where standard sandboxing rules … would ultimately succeed in blocking certain redirections, they consistently failed to protect users from this campaign on iOS Chrome,” Stein noted.

Confiant isn’t releasing details on the payload itself or the proof-of-concept yet, because Google has been notified of the problem and is working on a patch. Meanwhile, the campaign continues.

The overall push so far has been composed of eight individual campaigns using 30 fake ads, each with its own targeting.

“The typical entry points for eGobbler campaigns are legitimate ad servers that they infect coupled with one or more buy-side platforms,” Stein explained. “They use cloaked intermediate CDN [content delivery network] domains as part of their ad delivery. Quite often these domains sit behind at least a single layer of client-side fingerprinting. In attempt to fly under the radar, eGobbler attempts to smuggle their payloads in popular client-side JavaScript libraries such as GreenSock.”

Possible Safari Issue?

As widespread of an attack as this is for Chrome users on iPhone and iPad, Mike Bittner, digital security and operations manager of the Media Trust, told Threatpost that the Media Trust has seen the campaign affect Safari users as well.

“The fraudulent reward pop-ups masquerading as ads from highly recognized retailers are taking advantage of JavaScript functions that are normally used to serve ads, exhibiting their familiarity with the digital ad supply chain’s advantageous reach,” he said via email. “These malicious actors are becoming more complex in their malware authoring techniques. Today’s malware is increasingly polymorphic, sneaking past blockers through a combination of obfuscation, code switching and malicious domain changes…and if anything [this] shows why blockers alone are not a security solution, but a Band-Aid.”

He added that there is a similar bug in Safari that allows the JavaScript to execute even when blockers are in place.

“And yes, the redirection of users to the popups occur even without user interaction,” he confirmed to Threatpost. “This is an issue across a lot of browsers.”

The assessment, he added, is based on scanning more than 10 million sites each day and behavioral analysis of previous malware attacks.

Stein responded via tweet, saying, “I can confirm Safari users are susceptible to the usual redirect mechanism of session hijack when sandboxing is absent, but the pop-up blocker bypass only effects Chrome. eGobbler attempts both for max impact.”

This post was updated at 5 p.m. April 18 with further comments from The Media Trust’s Bittner, and at 6:15 p.m. with input from Stein.

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.