Developer Jim Fisher has explained on his blog how malicious websites can replace Chrome for Android’s address bar with their own fake version.
When you scroll down a page using Chrome for Android, the address bar is hidden. Once the bar is hidden, a website can use the space to implement it’s own fake bar instead.
While Chrome usually displays its URL bar when you scroll back up, Fisher found that by using the new element “overflow:scroll”, one can force the content into a “scroll jail” – which Fisher describes as “a browser within their browser”.
Even in this scenario, the user should be able to exit the “jail” by scrolling up. However, Fisher explained that this can be disabled.
“We insert a very tall padding element at the top of the scroll jail. Then, if the user tries to scroll into the padding, we scroll them back down to the start of the content,” said Fisher.
The only way to check whether the address bar is fake is to lock and then unlock your phone, after which both address bars will be displayed.