User interface Spoofing in F-Secure SAFE browser for Android

Vulnerability

A user interface overlay vulnerability exists in F-Secure SAFE Browser for Android [1]. When a user clicks a specially crafted URL that appears legitimate, the browser enters fullscreen mode and hides the user interface elements. This allows an attacker to spoof the browser chrome [1]. Affected versions include all releases prior to the fix; specific version numbers are not disclosed in the available references.

Exploitation

An attacker must craft a URL that appears benign to the victim [1]. Upon clicking the URL, the victim's SAFE Browser enters fullscreen mode and hides the address bar and other UI components [1]. The attacker can then display arbitrary content in place of the true interface, enabling spoofing of trusted sites [1]. No additional authentication or network position is required beyond delivering the crafted link to the user.

Impact

Successful exploitation allows the attacker to perform spoofing attacks [1]. The victim may be tricked into interacting with a fake interface, potentially leading to disclosure of sensitive information or installation of malicious content [1]. The impact is limited to UI spoofing; remote code execution is not achieved.

Mitigation

F-Secure has acknowledged the vulnerability and recommends users update to the latest version of SAFE Browser for Android [1]. The advisory lists related CVEs but does not specify the exact fixed version [1]. Users should ensure their app is up to date via the Google Play Store [1].