Developer James Fisher has discovered abuse in Google Chrome for Android that can be used for phishing attacks.
The use, called "inception bar" by Fisher, takes advantage of the fact that the browser hides the address bar when users scroll down the page – when this happens, the exploit displays a false address bar, so web phishing looks like a legitimate one.
When a user scrolls up, abuse can force Chrome to keep the actual address bar hidden, so the user won't know anything better.
This attack can be used to make users aware that they are on a legitimate banking site, so they enter their username and password.
The Fisher method demonstrated a screen shot of the bank's address bar – it seems convincing, but if the user tries to communicate with him, he finds it just an image.
While this usage also works on Apple devices, it won't be crazy for anyone because the iOS browser version in Chrome doesn't hide the address bar when the user scrolls down so they see both false and real address bars.