Google’s threat analysis group (TAG) said hackers “created malformed code signatures” that would be considered as “valid by Windows” but could not be detected by OpenSSL code used in security scanners.
The tech giant advised its 2.6billion users to be aware in a new blog post, revealing four “high” rated vulnerabilities – days after discovering Chrome’s 12th and 13th “zero day” exploits, reported Forbes.
Described as riskware, OpenSUpdater shows ads on victims’ browsers and then installs unwanted programs into their PCs.
TAG discovered that the OpenSUpdater line of software utilizes this new technique.
The latest warning comes after Google advised its users about a security flaw in the browser that hackers could exploit on Monday.
Most of the targeted victims of OpenSUpdater attacks are US-based users prone to downloading cracked games.
While Google has maintained that it is working hard to protect users’ security, cyber experts say it’s time to leave Chrome behind.
This year, the company disclosed the latest in a string of security flaws in a September 24 blog post.
The post confirmed that Chrome’s 11th “zero-day” exploit of the year was found and impacted Linux, macOS, and Windows users. This classification means hackers could use the flaw to their advantage before the tech giant could fix it – upping the threat significantly, Forbes reported.
Google reportedly kept the hack details under wraps to protect users after in-house employees discovered the flaw. According to Forbes, it was revealed just weeks after Google admitted it “accidentally” allowed the secret tracking of millions of users.
At the heart of Google’s latest tracking trouble is the roll-out of a new Chrome API that detects and reports when a user is “idle” or not actively using their device. Google has defended the feature from criticism by security experts who say it can be easily abused by malicious sites seeking sensitive information.
“It was built with privacy in mind and helps messaging applications deliver notifications to only the device the user is currently using.” “This feature, which we only expect to be used by a small fraction of sites, requires the site to ask for the user’s permission to access this data,” Google told Forbes.