Most of the time people identify malicious websites based on the URL in the address bar. A new vulnerability allows attackers to spoof that URL in android Stock browser and trick users into supplying sensitive information to phishing websites.
The vulnerability is an issue the Android Lollipop as well as prior versions. The problem is caused due to the fact that the browser fails to handle 204 error "No Content" responses when combined with window.open event, thereby allowing hackers to spoof the address bar.
A proof of concept shows that in case of a site with no content which has been opened with an unpatched Android Stock browser, the users are redirected to a page with the URL "http://www.google.com/csi".
This leads the user to think that it is a secure site hosted on google whereas it is a phishing site. As soon a the users enter the credentials, those are sent to attacker.com.
It was reported to the Android security team by Rafah Baloch, in February. The Android team has released patches for both Kitkat and Lollipop. It is advisable that users contact the service providers to determine whether they have received the updates.
