Trend Micro has made the decision to remove the Privacy Browser from its Dr Safety Android security suite after a reoccurring flaw was discovered in its software.
As reported by The Register, the vulnerability, which could be abused to trick users into believing that malicious web pages were legitimate, was first discovered by security consultant Dhiraj Mishra who responsibly reported it to the company back in April.
If exploited by an attacker, the bug could be used to alter the address bar on pages viewed in Trend Micro’s Privacy Browser. For example, a phishing page designed to steal users’ banking credentials could rewrite the URL bar to show the bank’s real domain name as opposed to the URL used by the attackers.
Mishra explained that the flaw would be fairly easy to exploit and that an attacker would have plenty of targets to choose from given its install base of 10m people in an interview with The Register, saying:
The vulnerability, tracked as CVE-2018-18334, has been confirmed by Trend Micro, though the company has decided to disable the browser outright instead of developing a patch for the flaw. Just by looking at the CVE assignment, you can see that the bug was first discovered in 2018 and the company has tried to deal with it in the past.
Back in January of last year, Trend Micro tried to patch the vulnerability but this year, Mishra was able to identify multiple address spoofing bugs of the same type that had not been fixed in the software. This explains why Trend Micro has now chosen to disable the Privacy Browser all together in its Dr Safety Android app.
Via The Register