CVE-2025-9867 - Unpacking the Chrome Android Downloads UI Spoofing Vulnerability

In early 2025, security researchers identified a new vulnerability in Google Chrome for Android—CVE-2025-9867. This one slipped into the spotlight via an "inappropriate implementation" within Chrome's Downloads feature (versions prior to 140..7339.80). The flaw allowed remote attackers to spoof the Android browser's user interface (UI) using a carefully crafted HTML page.

If you use Chrome on your Android device, or if you develop web apps viewed on Chrome, it's important to understand what happened, what might have been possible for attackers, and how Google eventually fixed the problem.

What is CVE-2025-9867?

CVE-2025-9867 is a medium severity bug tracked by the Chromium project. In simple terms, it allowed a website to show a fake Android Downloads dialog, tricking users into thinking they were interacting with Chrome’s real interface.

A remote attacker could exploit this by convincing someone to visit a specially crafted web page. This page could make Chrome display a pop-up or UI element that *looked exactly like* a system download dialog—so a user could be fooled into granting permissions, downloading suspicious apps, or even sharing sensitive information.

What went wrong?

On Android, Chrome uses a special UI for file downloads. This UI isn't meant to be faked by regular web pages. However, prior to version 140..7339.80, the Downloads implementation failed to properly isolate the real system UI from content loaded inside the browser.

The browser allowed HTML and JavaScript from web content to overlay graphics and input elements over its native dialogs.

Suppose a user is on malicious.example.com which serves this HTML

<html>
  <body style="margin:;">
    <!-- Full-screen overlay resembling the Downloads dialog -->
    <div id="fake-dialog" style="
      position:fixed; top:; left:;
      width:100vw; height:100vh;
      background:white; z-index:9999;
      display:flex; flex-direction:column; justify-content:center; align-items:center;">
      <img src="downloads_dialog_screenshot.png" alt="Fake Downloads Dialog" style="width:80vw;">
      <button onclick="alert('Downloading malware!')">Download</button>
    </div>
    <script>
      // Optionally, trigger this overlay after a fake download starts
      // For even more realism, trigger after user interacts with the page
    </script>
  </body>
</html>

This HTML draws an image of the Chrome Downloads dialog on top of everything. To a regular user, it looks like the *real* Downloads dialog they trust. They might not realize it's entirely fake and being served from the web page.

How would you fall for it?

If you think you’re confirming a download—maybe clicking "Open," "Allow," or "Install"—what you’re really doing is interacting with attacker-chosen code.

Links to Original References

- Chromium Issue Tracker: CVE-2025-9867 *(Link placeholder; search once the issue is public)*
- Chrome Releases Blog: Stable Channel Update for Android (140..7339.80)
- Android Security Bulletin Archive

The attacker website shows a UI overlay *identical* to the real Chrome Downloads prompt.

- When you click Allow, you’re really launching a script that downloads malware or tries to get you to install a rogue APK.

2. Phishing / Permission Hijack:
- The fake dialog could request logins, SMS permissions, or payment details, pretending to be Chrome or system pop-ups.

The browser’s real UI is supposed to be outside the reach of web code.

- This bug let attackers bridge that gap, blurring the line between trusted browser elements and web content.

How Did Google Fix It?

With version 140..7339.80, Google patched the flaw by restricting how web content can interact with or overlay system dialogs. This shored up the boundaries between browser UI and webpage code, preventing spoofing like this in future releases.

Check URLs before interacting with download dialogs or system prompts.

- Look for inconsistencies: If something seems off with a browser dialog (blurry graphics, old styles, misplaced icons), it might be spoofed.

Conclusion

CVE-2025-9867 is a classic example of how UI separation matters just as much as raw code security. While this vulnerability was patched quickly, it highlights the creativity of attackers—sometimes all it takes is a convincing image and a vulnerable implementation.

If you’re interested in the in-depth details, watch the Chromium issue tracker as the embargo lifts. Otherwise, always use the latest browser version—and remember, *not every “Download” button is what it seems*.

Timeline

Published on: 09/03/2025 17:15:35 UTC
Last modified on: 09/04/2025 16:12:58 UTC